Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT on same interface

My ( IPSEC client-VPN) ASA is connected to the DMZ of an ISA cluster. The users get an IE proxy setting via domain login which refers to the local lan interface (NLB) of the ISA's. The DMZ interface is also listening for proxy requests. I want to NAT the local LAN proxy to the DMZ proxy ( preferable PAT). A siple static (port) nat doesnt'work. Any ideas ?

Any ideas how to ?

5 REPLIES
New Member

Re: NAT on same interface

I would use a proxy.pac file to determine where the client is and set the PROXY where you want it to go.

http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

Something like:

--- START PROXY.PAC ----

function FindProxyForURL(url, host)

{

var proxy_yes = "PROXY proxy.company.com:8080";

ver proxy_dmz = "PROXY dmzproxy.company.com:8080";

var proxy_no = "DIRECT";

if (isPlainHostName(host)) { return proxy_no; }

if (dnsDomainIs(host, ".company.com")) { return proxy_no; }

if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0")) { return proxy_dmz; } //VPN NETWORK

return proxy_yes;

}

--- END PROXY.PAC ----

New Member

Re: NAT on same interface

Good idea but as i'm no in control of the desktop of this large organisation I would rather have a "transparent" solution.

Bronze

Re: NAT on same interface

You can use the proxy settings of the VPN gateway, you can do that under the EzVPN policy configuration, somewhere depending of what device you are using

New Member

Re: NAT on same interface

I already set the proxy via the ms client settings that you can push via the ASA, but the issue here is that the domain login overrules tis setting because this is processed after the VPN connection is set.

Bronze

Re: NAT on same interface

I see, the only thing I could say now is for you to try something with "slow link detection" policy then it will see the host is not local and not apply the policy, it's primiry intended for roaming profile but I think it could work for proxy. See

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91599.mspx?mfr=true

136
Views
0
Helpful
5
Replies