CS-ACS and NAT

Hello,
Currently, we have FWSM/7606 sitting between a CS-ACS appliance v4.0.1 and the network comprising several routers. Since we use NAT, all network devices appear as a single IP address in CS-ACS.
Is there a way to convey the real router IP address into CS-ACS, either in the T+ payload or by other means ?
We need to see, in CS-ACS logs, both the Real IP and the NAT IP (we already have this one).
Thanks in advance.

I've looked at a tacacs+ auth request in ethereal and I'm pretty sure the source adress is lost. Also, if you review the rfc(http://www.cisco.com/warp/public/459/tac-rfc.1.76.txt) You will find that the is no source field.

Similar Messages

  • ACS replication and NAT

    Hi all,
    I've the following question: is it possible to set up a replication between 2 server running the same version of ACS, but with 1 server behind a PIX running static NAT (private IP address of one server is statically mapped to a public address)?
    I was able to manage the replication when the two servers on the same LAN, but when I move the second server on the private LAN I obtain error "shared secret mismatch".
    Any idea?
    Thanks
    Regards
    Roberto

    ACs versions 3.1 and greater will not work with replication and NAT'ing. The security of the replication process was increased in these version, and the originating server hashes it's own IP address (the non-NAT'd version of it) into the data to be used as part of the verification process.
    If the receiving server sees this from a different IP address due to the NAT'ing then it will fail and produce the "shared secret mismatch" error you're seeing.
    Sorry, no way around it unfortunately.

  • Cisco ASA Site to Site IPSEC VPN and NAT question

    Hi Folks,
    I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
    ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
    Just an example:
    Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
    The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
    It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
    Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
    Appreciate if someone can shed some light on it.

    Hi,
    Ok so were going with the older NAT configuration format
    To me it seems you could do the following:
    Configure the ASA1 with Static Policy NAT 
    access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
    Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
    If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
    On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
    access-list INSIDE-NONAT remark L2LVPN NONAT
    access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NONAT
    You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
    ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    I could test this setup tomorrow at work but let me know if it works out.
    Please rate if it was helpful
    - Jouni

  • ASA5505 SOHO public ip range and nat head ache

    Hello
    Can anyone shed some ligh on a problem im having. We have setup a ASA 5505 with an ISP called Zen that allocates you a subnet of public ip addresses. i have sucessfully  setup the asa to access the internet using nat on the outside interface. we would like to use the other ip addresses in the range for other services but i cannot think how i can do this/configure this.
    LAN > ASA5505 > VDSL Modem > ISP
    the range they have given us is
    Number of IP addresses: 8
    IP addresses: XX.XX.XXX.40 - XX.XX.XXX.47
    Subnet mask: 255.255.255.248
    Subnet in slash notation: XX.XX.XXX.40 /29
    Network address: XX.XX.XXX.40
    XX.XX.XXX.41
    XX.XX.XXX.42
    XX.XX.XXX.43
    XX.XX.XXX.44
    XX.XX.XXX.45
    XX.XX.XXX.46 Router
    Broadcast address: XX.XX.XXX.47
    Router address: XX.XX.XXX.46
    i have setup XX.XX.XXX.46 on the otside interface and hosts inside can access the net and nat from the internet to internal devices all work.
    we have a vdsl modem connected to the outside interface and using PPPoE we dynamically get the XX.XX.XXX.46/32 address.
    Is there any way i can use the other spare addresses? i do see how i can use them. i have done a lot of browsing and the only way i see that other people have been able to do this is using a layer3 device and using ip unnumber of the external int point to a loopback,
    any info or advice would be gratefully received.
    regards
    C.

    Hello
    the version is Cisco Adaptive Security Appliance Software Version 9.2(2)4
    debugging icmp i see pings to the .46 address however i see no pings/traffic received on the asa for the other addresses. how does zen know to route the xx.xx.xx.41 to .45 ip addresses to the firewall using the .46 address?
    the nat rules i have are
    nat (Vlan200_Int,Outside_Dirty_Int) dynamic interface < this works for lan access to the internet
    nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp www 65100
    nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp https 65101
    access-list Outside_Dirty_Network_access_in extended permit tcp object Click_PC object ESXi object-group DM_INLINE_TCP_7
    object-group service DM_INLINE_TCP_7 tcp
    port-object eq 902
    port-object eq www
    port-object eq https
    thanks for the help

  • Internal DNS server and NAT routing issue.

    Hi -- I am not terribly experienced with DNS and I am running into an issue that I can't seem to resolve. My company.com DNS information is hosted by an outside ISP for email, web, etc... but I have configured an A record there to point to the public IP to my mac os x server (server.company.com).
    We have a cisco router configured with one to one NAT from the public IP to the internal IP for our server in a 192.168.15.x subnet. The same router is running DHCP and and NAT on that subnet under a different public IP provided by our ISP.
    Our server is running DNS with recursion and has a "company.private" zone set up for internal services and machine names. Thus, the server is accessible via "server.company.com" from the outside and "server.company.private" from the private LAN.
    The problem is that I would like to be able to access some services simply via "server.company.com" both inside and outside the private network. Now, accessing the "server.company.com" services from the private lan does not work because the name resolves to the external IP and the external IP cannot be used internally due to NAT.
    Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
    I know that I could manually duplicate all entries for our domain from my ISP and host the same entries for internal clients, but it would be much easier to only have our server handle requests for itself. The server is running OS X Server 10.4.11.
    Thanks

    Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
    Ordinarily, no. Once your server thinks it is responsible for a zone (e.g. company.com) then it will answer all queries for that domain and never pass them upstream. Therefore you'd have to replicate all the zone data, including all the public records, and maintain them both.
    The one possible exception to this (I haven't tried) is to create a zone for server.company.com that has your internal address. In theory (like I said, I haven't tried this), the server should respond to 'server.company.com' lookups with its own zone data and defer all other lookups (including other company.com names since they're not in a zone it controls). Might be worth trying.

  • Apple Airport Extreme Base Station for PPPoE, DHCP and NAT with ActionTec DSL modem

    I just spent several hours trying to track down proper instructions for setting up my Apple AEBS to do the PPPoE, DHCP and NAT while connected to an ActionTec M1000 (no wireless module).  It turns out my initial set ups on both devices were correct, but that the order for rebooting and reconnecting the two devices is critical.  All of the threads I found on this forum and on many others suggested this was not possible, but it is.  What I don't yet know is whether it is the best method for running my home network DSL connection to my ISP (CenturyLink). 
    The instructions I found that worked come courtesy of Brandon Konkle's blog and are both simple and clear:  http://brandon.konkle.us/post/19637529637/centurylink-actiontec-q1000-airport-ex treme-bridge
    The proper settings for the ActionTec DSL Modem can be found under Advanced Setup/IP Adressing/WAN IP Address
    Click RFC 1483 Transparent Bridging then click on Apply.
    (see also http://qwest.centurylink.com/internethelp/modems/m1000/pdf/M1000_BRIDGE.pdf )
    To reduce time, do this BEFORE you reset your AEBS then set the AEBS so that you don't have to wait for the AEBS to reboot. 
    In contrast to what Brandon described for the Q1000 modem, my AEBS never reconnected to the modem (he describes his as getting an IP from his ISP, then dropping it then getting another over and over - mine never got an IP).  Once you have reset both devices as described, the critical steps I have not found described elsewhere were:
    1.  Disconnect the power from both the modem and the Airport Extreme.
    2.  Disconnect the Ethernet cable between the two devices
    3.  Restore power to the 2 devices and allow them to fully reboot.  For the ActionTec M1000, this is indicated when the lights stop blinking.  (Note that the Internet light will NOT be lit in this instance since the modem is acting only as a bridge.  You will NOT have an Internet connection until the AEBS is reconnected.)  The AEBS will be blinking yellow.
    4.  Reconnect the Ethernet cable between the devices (make sure on the M1000 that you are using the connector with the circle icon over it, not the arrow icon).
    Within about 60 seconds, the AEBS light went to steady green and the connection to the Internet was restored.
    Now I have to see if this is a more stable configuration than the flaky one I had before while using the AEBS as a bridge and the M1000 to do everything. 
    Does anyone think or know if it will make a difference?
    Message was edited by: Bud Shaw

    Now I have to see if this is a more stable configuration than the flaky one I had before while using the AEBS as a bridge and the M1000 to do everything.
    Does anyone think or know if it will make a difference?
    No one can accurately predict in advance what the actual results might be. I've tried both ways with different products and cannot say that one method is better than the other.  What works is best.
    In theory, it is preferable to have the modem provide the PPPoE connection service since it is the device connected directly to the Internet.
    In practice, results vary depending on the service provider, products used, phase of the moon, alignment of the planets, etc.

  • How to set up DHCP and NAT for QNAP NAS MyCloud service?

    I have an Apple AirPort Extreme Base Station (AEBS) attached to my DSL model (no router in the modem).  My QNAP NAS is attached via ethernet to the QNAP NAS.  My iMac (running AirPort Utility 6.x) is connected to the AEBS via wifi.
    I've found several folks who've tried this (and apparently succeeded) but I'm a networking novice and am having trouble making this work.  What I did was to go into the AirPort utility and in the networking section configure "DHCP and NAT" and then called out the static IP and MAC address of the QNAP NAS (as well as the ports I'd like to remain open).  However, when I did this and applied the changes, my iMac (connected to the AEBS via wifi) could no longer see the AEBS, which then required me to reset the AEBS, re-configure it back to the previous known good conifiguration and start over.  After about 5 cycles of this I gave up.
    So, what am I doing wrong here?  Do I need to go in and configure every device that is going to access the AEBS as static and call out each device's IP and MAC address? (hopefully not, that'd be a major PITA).
    Help.  Anyone?

    When I run diagnostics with the QNAP, here is the reply I get (IPs redacted):
    ------ NAT PMP Diagnostics ------
    initnatpmp() returned 0 (SUCCESS)
    using gateway : xx.x.x.x
    sendpublicaddressrequest returned 2 (SUCCESS)
    readnatpmpresponseorretry returned 0 (OK)
    Public IP address : 192.168.xxx.xxx
    epoch = 2621
    closenatpmp() returned 0 (SUCCESS)
    ------ UPnP Diagnostics ------
    upnpc : miniupnpc library test client. (c) 2006-2011 Thomas Bernard
    Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
    for more information.
    List of UPNP devices found on the network :
    desc: http://xx.x.x.x:60606/8CC1212D0C6D/Server0/ddd
    st: upnp:rootdevice
    desc: http://xx.x.x.x:9000/TMSDeviceDescription.xml
    st: upnp:rootdevice
    desc: http://xx.x.x.xx:55000/nrc/ddd.xml
    st: upnp:rootdevice
    desc: http://xx.x.x.xx:55000/dmr/ddd.xml
    st: upnp:rootdevice
    desc: http://xx.x.x.xx:49152/4/description.xml
    st: upnp:rootdevice
    desc: http://xx.x.x.xx:49152/2/description.xml
    st: upnp:rootdevice
    desc: http://xx.x.x.xx:49152/0/description.xml
    st: upnp:rootdevice
    desc: http://xx.x.x.xxx:8200/rootDesc.xml
    st: upnp:rootdevice
    desc: http://xx.x.x.xxx:49152/gatedesc.xml
    st: upnp:rootdevice
    desc: http://xx.x.x.xxx:49153/gatedesc.xml
    st: upnp:rootdevice
    desc: http://xx.x.x.xxx:49155/gatedesc.xml
    st: upnp:rootdevice
    desc: http://xx.x.x.xxx:9000/TMSDeviceDescription.xml
    st: upnp:rootdevice
    UPnP device found. Is it an IGD ? : http://xx.x.x.x:60606/
    Trying to continue anyway
    Local LAN ip address : xx.x.x.xxx
    GetConnectionTypeInfo failed.
    Status : , uptime=3217870016s, LastConnectionError :
      Time started : Wed Mar 13 17:04:03 1912
    MaxBitRateDown : 7 bps   MaxBitRateUp 0 bps
    GetExternalIPAddress() returned -3
    GetExternalIPAddress failed.
    GetGenericPortMappingEntry() returned -3 ((null))

  • ACS and Windows Domain / AD

    Hi All,
    In my environment there are two Windows Domain - Doamin A and B. ACS is configured on member server in domain B and hence Windows Authentication for users in Domain B is working fine. However I'm unable to see domain A in Configure Domain List on ACS server in Windows Domain configuration menu.
    Please note, there is one way trust between domain A and B with Domain A trusting Domain B.
    Is there a way I can use the same instance of ACS to authenticate the users in Domain A as well? If YES, can you please guide me with some pointers - thanks.
    I'm using ACS and Windows AD elements to authenticate users for SSL Web VPN on ASA 5540.
    Apprecaite quick help on this.
    -Satishcp

    Unfortunatley we are not using the Cisco Secure ACS Appliances, rather its ACS Ver 3.3 running on Windows 2000 Server (member server in Domain B).
    My guess Remote Agents for Windows / Solaris works with Appliances alone.

  • Problem with passive mode FTP server and NAT

    Hi,
    I have a problem with Passive mode FTP and NAT.
    I am trying to run both an FTP server and sharing the Internet connection via NAT. I have by the way specified the passive ports to use in ftpaccess (65000-65534). Everything works fine until someone tries to connect via Passive mode. I have tracked the problem down to the firewall and the rule that handles NAT.
    Firewall rule config without NAT:
    00001 allow udp from any 626 to any dst-port 626
    01000 allow ip from any to any via lo0
    12300 allow ip from any to any
    65535 allow ip from any to any
    Firewall rule config with NAT
    00001 allow udp from any 626 to any dst-port 626
    00010 divert 8668 ip from any to any via en1
    01000 allow ip from any to any via lo0
    12300 allow ip from any to any
    65535 allow ip from any to any
    So, passive ports do not work when NAT is on. If I turn it off, Passive ftp works like a charm.
    But how do I solve my problem? I have in my quest for the answer stumbled upon "-punch_fw" but do not know how to use it or if it even helps me at all?
    Best regards,
    Peter
    B&W G3 Mac OS X (10.4.5)

    Media/Lacrosse-1-tiny.3gp
    I can't find the file on your server.
    They may also need to edit the .htaccess file to allow the .3gp file extension be used. Call them.

  • ACS and Windows Server

    I have installed ACS 5.2 on a machine and I am trying to integrate with that Windows Server 2003 ( Active Directory ) . On the ACS when i do test connection it shows me sucess but when i save the setting it gives me Time error . I kept the clock and timezone of Active Directory and ACS server as same but still it gives me error . I read on one of the blog that it is better to configure NTP on a router and then sync both the devices with same NTP .
    Is it necessary to configure NTP or manual config should also work ?

    I have ran into issues like what you are seeing without using NTP. I would suggest setting up NTP and having ACS and your servers sync to that.
    Sent from Cisco Technical Support iPhone App

  • ACS and Windows 2000 user database communication port

    Could my Windows 2000 SP4 + ACS v3.23 can install any new Windows 2000 service pack ?
    I'm affraid to infect ACS Service.
    So, I want to install firewall on this server to block malicious traffic.
    However, my ACS used external user database Windows 2000 for authentication.
    Who can tell me What protocols or port list they are communication?
    I have to avoid these traffic on my firewall.

    Hi cheng
    I think you can install any servie pack without problem and the SP4 is the latest one for WIN2000 and you server already has this SP
    For your second question you need to specify many protocols according to your active directory config in this link you can find a list of this protocols and the best way is to make debug or logging or use a siniffer to know the exactly protocols flow between your ACS and AD server
    http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
    Best Regards

  • Can i configure a network with ACS and ISE?

    I have both acs and ise, how do i integrate these appliance to work togheter?
    Thanks

    ISE does not interoperate with Cisco Secure ACS deployments. The Cisco Identity Services  Engine can work in tandem with Cisco NAC Manager to provide the same  profiling service as the NAC Profiler, which has reached end-of-sale  status.
    Existing Cisco Secure ACS customers using network  access can easily migrate to the Cisco Identity Services Engine platform  using migration part numbers and tools. However, existing Cisco Secure  ACS customers using TACACS functions will not be able to migrate to the  current version of ISE for network device identity management which is  often acceptable for customers who prefer to keep user and network  identity on separate systems.

  • ACS and HA

    Hello,
    The purpose is to use a 802.1X authentication with ACS server, AD and high availibility.
    I have 2 sites with one AD with a 4 mega link bandwidth and one ACS for each site.
    I know that it is possible to use ACS active/passive mode with replication of database.
    but I also read that it's possible to use 2 groups on ACS and use HA,and my question is
    In my configuration with one AD and 2 ACS, can I use this functionality ?
    Is it possible to know the bandwidth between ACS in case of replication or active/active mode?
    Regards

    You can make it active / active too... Second Only one AD it is not at all problem. As sson as it need one IP or Name of AD server. Specify same name at both server. It will be replicate.
    Regards,
    Dharmesh Purohit

  • Cisco Secure ACS and Windows NLB

    Hi,
    I have two ACS servers and have been trying unsuccessfully to setup Windows NLB for them. I can successful setup the NLB but ACS won't respond on the clustered IP. Other services running on the clustered IP will respond so I believe the NLB is working correctly.
    Has anyone had any success with ACS and Microsoft NLB? I can?t find any documentation to suggest that they are incompatible but I think this may be the case.
    Thanks,
    Neil

    Neil,
    ACS is not tested with NLB but if cluster hosts are attempting to communicate with the ACS using their clustered IP then ACS should reply.
    Do you see any hits on acs ? If you sniff the acs interface, what is the source IP address ? Is it clustered ip or clustered host IP ??
    Also on acs --->Network configuration add aaa client with host IP and clustered ip . Now see if acs responds to NLB.
    Regards,
    ~JG

  • ACS and CAR integration

    Hi,
    Is it possible to integrate ACS and CAR with DB-2 Database and if yes, are there any limitations or issues related to that? Does CAR or ACS loose any functionality in such integration?
    I am not looking for detailed process of the integration at this time, all I want to know is if it is supported and are there any issues.
    Thanks,
    Habib U Dashti

    Hi Habib,
    Yes, ACS can be integrated with DB-2, as ACS is ODBC compliant and so as DB-2, The other way round is that you can convert DB-2 database in flat file structure and import it into ACS database. Regarding limitations or issues i do not have any info.
    And CAR has its own database & does not support DB-2.
    Thanks.

Maybe you are looking for

  • Audigy 2 zs platinum pro HUB prob

    Hi Installed a new platinum pro sound card, which is working absolutely fine on its own. However, i've been unsuccessful in getting the I/O or hub working (which it came with) Just wondering if anyone knows of a solution Many thanks link to a review

  • Importing to a Oracle Table from SQL Loader Fails

    Hi , When I try to upload one xml file from my server to my table in oracle server using sql loader it fails at times.Some times it works perfectly. This is a daily process which automatically dumps data to my oracle. Please find the error log : SQL*

  • Lens Corrections in Lightroom 4

    Can 'Enable Profile Corrections' in Lens Corrections be checked as a default?

  • Spool Error - Spool created but not opening/displaying. Message no SP01R042

    Dear All, In the ECC Production System, for SD documents Spool is  created but not opening/displaying. Message no SP01R042 When we check the short dump for the user, The dump is - - POSTING_ILLEGAL_STATEMENT - Statement "CALL SCREEN" is not allowed i

  • Premiere elements 13 restart during installation

    I've been trying to install the Premiere Elements 13 trial.  I've tried 5 or 6 times, and each time the installer forces a restart while trying to install Microsoft Visual C++  2012 redistributable package.  After the restart the installation does no