Re: NAT incoming SSL traffic to inside interface address

HielkeHagendoorn · ‎08-18-2009

Hi All,

I'm trying to NAT the source address of incoming ssl traffic to the physical inside interface. So on the inside network all ssl traffic should be sourced from the inside interface.

Does anyone know if this is possible? I was trying something like this...

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.16.1.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.1.2 255.255.255.0

!

global (inside) 1 interface

nat (outside) 1 10.0.2.0 255.255.255.0

!

ip local pool SSL-IP-POOL 10.0.2.1-10.0.2.254 mask 255.255.255.0

!

tunnel-group TEST general-attributes

address-pool SSL-IP-POOL

!

Regards

Hielke

andrew.prince · ‎08-18-2009

I think you might have to use a specific src/dst acl to trigger it.

something like

access-list outside_nat_static line 1 extended permit tcp any https <>

static (outside,inside) tcp interface 443 access-list outside_nat_static

HTH>

HielkeHagendoorn · ‎08-18-2009

Hi Andrew,

Thx for you reply. Excusse me for not begin clear about this.

I'm trying to NAT the decrypted client traffic (so the traffic sourced from the pool addresses), not the ssl traffic (source from the real client address).

It seems to me your answer reverse to the second situation, where I meant to ask for the first one.

Any suggestions?

Regards

Hielke

andrew.prince · ‎08-19-2009

The device will not act as a SSL proxy

HTH>