Configuring PAT over VPN Tunnel to access a hosted APP

Unanswered Question
Nov 4th, 2009

Hey ya'll,

Can anyone please provide direction on how to successfully PAT the plethora of /24 subnets I have onsite to a predetermined 172.x.x.x address for access specifically destined to a hosted web server via a Site-To-Site VPN tunnel? I am uncertain as to how to properly PAT the private address through the tunnel without inadvertently sending all users to the tunnel.

Here are the details:

-Users need access to a Time/Attendance hosted application accessible only via a secure site-to-site tunnel via https://x.x.x.x website

-The application is hosted by a 3rd party vendor and their requirement is to “hide users” (source IPs /24) behind a designated PAT'd address (172.x.x.x)

-Cisco ASA 5540 ver. 8.0

-permit port 443

Ultimately, the ACL will look like:

IP access-list extended ABC-crypto

Permit ip host (website URL IP ADDRESSx.x.x.x) host 172.x.x.x

Any assistance is GREATLY appreciated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Herbert Baerten Wed, 11/04/2009 - 23:39

It may depend on what kind of NAT config you already have (e.g. for the same clients connecting to the internet I suppose you already have a nat/global pair) but you'll need something like this:

access-list PAT-172 permit host x.x.x.x

nat (inside) 1 access-list PAT-172

global (outside) 1 172.x.x.x

What this says is "for all traffic matching the ACL PAT-172, and going from inside to outside, PAT the source to 172.x.x.x".

I hope this helps



This Discussion