Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT incoming SSL traffic to inside interface address

Hi All,

I'm trying to NAT the source address of incoming ssl traffic to the physical inside interface. So on the inside network all ssl traffic should be sourced from the inside interface.

Does anyone know if this is possible? I was trying something like this...

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.16.1.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.1.2 255.255.255.0

!

global (inside) 1 interface

nat (outside) 1 10.0.2.0 255.255.255.0

!

ip local pool SSL-IP-POOL 10.0.2.1-10.0.2.254 mask 255.255.255.0

!

tunnel-group TEST general-attributes

address-pool SSL-IP-POOL

!

Regards

Hielke

  • Firewalling
3 REPLIES

Re: NAT incoming SSL traffic to inside interface address

I think you might have to use a specific src/dst acl to trigger it.

something like

access-list outside_nat_static line 1 extended permit tcp any https <>

static (outside,inside) tcp interface 443 access-list outside_nat_static

HTH>

New Member

Re: NAT incoming SSL traffic to inside interface address

Hi Andrew,

Thx for you reply. Excusse me for not begin clear about this.

I'm trying to NAT the decrypted client traffic (so the traffic sourced from the pool addresses), not the ssl traffic (source from the real client address).

It seems to me your answer reverse to the second situation, where I meant to ask for the first one.

Any suggestions?

Regards

Hielke

Re: NAT incoming SSL traffic to inside interface address

The device will not act as a SSL proxy

HTH>

152
Views
0
Helpful
3
Replies
This widget could not be displayed.