NAT on same interface

Unanswered Question
Sep 19th, 2007
User Badges:

My ( IPSEC client-VPN) ASA is connected to the DMZ of an ISA cluster. The users get an IE proxy setting via domain login which refers to the local lan interface (NLB) of the ISA's. The DMZ interface is also listening for proxy requests. I want to NAT the local LAN proxy to the DMZ proxy ( preferable PAT). A siple static (port) nat doesnt'work. Any ideas ?

Any ideas how to ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
claforest Wed, 09/19/2007 - 12:35
User Badges:

I would use a proxy.pac file to determine where the client is and set the PROXY where you want it to go.

Something like:


function FindProxyForURL(url, host)


var proxy_yes = "PROXY";

ver proxy_dmz = "PROXY";

var proxy_no = "DIRECT";

if (isPlainHostName(host)) { return proxy_no; }

if (dnsDomainIs(host, "")) { return proxy_no; }

if (isInNet(myIpAddress(), "", "")) { return proxy_dmz; } //VPN NETWORK

return proxy_yes;


--- END PROXY.PAC ----

mvengelen Wed, 09/19/2007 - 23:13
User Badges:

Good idea but as i'm no in control of the desktop of this large organisation I would rather have a "transparent" solution.

guibarati Mon, 09/24/2007 - 12:44
User Badges:
  • Bronze, 100 points or more

You can use the proxy settings of the VPN gateway, you can do that under the EzVPN policy configuration, somewhere depending of what device you are using

mvengelen Mon, 09/24/2007 - 21:25
User Badges:

I already set the proxy via the ms client settings that you can push via the ASA, but the issue here is that the domain login overrules tis setting because this is processed after the VPN connection is set.

guibarati Tue, 09/25/2007 - 03:27
User Badges:
  • Bronze, 100 points or more

I see, the only thing I could say now is for you to try something with "slow link detection" policy then it will see the host is not local and not apply the policy, it's primiry intended for roaming profile but I think it could work for proxy. See


This Discussion