Secure Access NAT as a Service
Cisco Secure Access secure web gateway (SWG) traffic that is bound for internet destinations takes the Secure Access NAT as a Service (NATaaS) as its egress point. NATaaS provides secure, efficient connections to internet destinations. NATaaS assigns public IP addresses to internet-bound traffic from a shared pool of IPv4 and IPv6 addresses, or from a single IPv4 address reserved for each geographic region where your Secure Access organization is deployed.
For more information on reserving your IPv4 address, see Reserved IP.
Table of Contents
Web Traffic and NATaaS
An IP address available from the NATaaS enables you to register your traffic for allow lists maintained by internet sites and services. An IP address available from the NATaaS affects only the source IP for your internet-bound traffic. It does not affect the IP address that you use to establish the IPsec tunnel between your network and Secure Access.
The NATaaS will use an IP address from the shared ranges below. Depending on your organization, you may have to contact the internet service providers that you connect to from the NATaaS with these additional IP address ranges. Some internet service providers require prior knowledge of the IP address ranges used before allowing connections to their service.
For more information, see Network Requirements for Secure Access.
IPv4 Shared Ranges
- 151.186.144.0/20
- 151.186.176.0/20
IPv6 Shared Ranges
| Virtual Edge Data Center | Egress IPv6 Range |
|---|---|
| prod_aws_us-west-2_1_0 | 2603:5004:13:a::/64 |
| prod_aws_us-west-2_1_1 | 2603:5004:13:9::/64 |
| prod_aws_us-east-1_1_1 | 2603:5004:2:5::/64 |
| prod_aws_us-east-1_1_0 | 2603:5004:2:4::/64 |
| prod_aws_ap-east-1_1_1 | 2603:5004:d0:107::/64 |
| prod_aws_ap-east-1_1_0 | 2603:5004:d0:106::/64 |
| prod_aws_ap-northeast-1_1_1 | 2603:5004:20:9::/64 |
| prod_aws_ap-northeast-1_1_0 | 2603:5004:20:3::/64 |
| prod_aws_ap-northeast-3_1_0 | 2603:5004:e0:106::/64 |
| prod_aws_ap-northeast-3_1_1 | 2603:5004:e0:107::/64 |
| prod_aws_ap-south-1_1_0 | 2603:5004:30:6::/64 |
| prod_aws_ap-south-1_1_1 | 2603:5004:30:9::/64 |
| prod_aws_ap-south-2_1_1 | 2603:5004:150:209::/64 |
| prod_aws_ap-south-2_1_0 | 2603:5004:150:203::/64 |
| prod_aws_ap-southeast-1_1_0 | 2603:5004:40:6::/64 |
| prod_aws_ap-southeast-1_1_1 | 2603:5004:40:5::/64 |
| prod_aws_ap-southeast-2_1_0 | 2603:5004:50:109::/64 |
| prod_aws_ap-southeast-2_1_1 | 2603:5004:50:104::/64 |
| prod_aws_ap-southeast-3_1_1 | 2603:5004:60::/64 |
| prod_aws_ap-southeast-3_1_0 | 2603:5004:60:b::/64 |
| prod_aws_ca-central-1_1_1 | 2603:5004:70:7::/64 |
| prod_aws_ca-central-1_1_0 | 2603:5004:70:8::/64 |
| prod_aws_eu-central-1_1_0 | 2603:5004:80:105::/64 |
| prod_aws_eu-central-1_1_1 | 2603:5004:80:103::/64 |
| prod_aws_eu-central-2_1_0 | 2603:5004:90:108::/64 |
| prod_aws_eu-central-2_1_1 | 2603:5004:90:102::/64 |
| prod_aws_eu-north-1_1_1 | 2603:5004:120:200::/64 |
| prod_aws_eu-north-1_1_0 | 2603:5004:120:205::/64 |
| prod_aws_eu-west-2_1_0 | 2603:5004:a0:10a::/64 |
| prod_aws_eu-west-2_1_1 | 2603:5004:a0:101::/64 |
| prod_aws_il-central-1_1_0 | 2603:5004:b0:105::/64 |
| prod_aws_il-central-1_1_1 | 2603:5004:b0:101::/64 |
| prod_aws_me-central-1_1_1 | 2603:5004:f0:107::/64 |
| prod_aws_me-central-1_1_0 | 2603:5004:f︎0:100::/64 |
| prod_aws_sa-east-1_1_0 | 2603:5004:c0:107::/64 |
| prod_aws_sa-east-1_1_1 | 2603:5004:c0:101::/64 |
Non-Web Traffic and NATaaS
- All public IP non-web traffic egresses from the NATaaS at 151.186.192.0/20.
Best Practices
- You cannot combine the NATaaS IP address range (151.186.176.0/20) with the Secure Access IP address range (151.186.192.0/20) into a larger /19 range. One range is at the end of the larger first block and the other range is at the beginning of the larger second block.
Network Requirements for Secure Access < Secure Access NAT as a Service > Reserved IP
Updated 20 days ago