Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Configuring PAT over VPN Tunnel to access a hosted APP

Hey ya'll,

Can anyone please provide direction on how to successfully PAT the plethora of /24 subnets I have onsite to a predetermined 172.x.x.x address for access specifically destined to a hosted web server via a Site-To-Site VPN tunnel? I am uncertain as to how to properly PAT the private address through the tunnel without inadvertently sending all users to the tunnel.

Here are the details:

-Users need access to a Time/Attendance hosted application accessible only via a secure site-to-site tunnel via https://x.x.x.x website

-The application is hosted by a 3rd party vendor and their requirement is to “hide users” (source IPs /24) behind a designated PAT'd address (172.x.x.x)

-Cisco ASA 5540 ver. 8.0

-permit port 443

Ultimately, the ACL will look like:

IP access-list extended ABC-crypto

Permit ip host (website URL IP ADDRESSx.x.x.x) host 172.x.x.x

Any assistance is GREATLY appreciated

Cisco Employee

Re: Configuring PAT over VPN Tunnel to access a hosted APP

It may depend on what kind of NAT config you already have (e.g. for the same clients connecting to the internet I suppose you already have a nat/global pair) but you'll need something like this:

access-list PAT-172 permit host x.x.x.x

nat (inside) 1 access-list PAT-172

global (outside) 1 172.x.x.x

What this says is "for all traffic matching the ACL PAT-172, and going from inside to outside, PAT the source to 172.x.x.x".

I hope this helps


CreatePlease to create content