Cisco made significant changes to NAT from ASA version 8.3 and above. These changes have made it possible to test IPSEC tunnel connectivity into the Blue Coat Cloud Service without any interruption to current production traffic.  These changes also allow a seamless transition from testing to fully deploying production traffic through the Blue Coat Cloud Service.

The steps below were completed using ASDM 6.4(9) which is the current version recommended by Cisco.

First a NAT rule needs to be created:

The properties of the rule need to be defined:

1 – select inside interface (this is generally set to the interface that will see incoming traffic from the host/subnet)
2 – select outside interface
3 – select or create the host that will be used for testing through the Blue Coat Cloud Service (this is the field that needs to be changed to include more test hosts and eventually all production subnets)
4 – create or select the service object for HTTP (a second rule will be created for the HTTPS service)
5 – disable proxy ARP on egress interface (this disables direction and assumes unidirectional)

Create a second rule that includes HTTPS as the service.  The summary of the two rules will look as follows:

These added NAT rules exempt HTTP and HTTPS from workstation1 from being NAT'ed but all other protocols from workstation1 will be NAT'ed by rule 3.

the config output for the example above is as follows::

object network workstation1
 host 192.168.1.6
object service HTTPS
 service tcp destination eq https
object service HTTP
 service tcp destination eq www

 
nat (inside,outside) source static workstation1 workstation1 service HTTP HTTP no-proxy-arp
nat (inside,outside) source static workstation1 workstation1 service HTTPS HTTPS no-proxy-arp