CS-ACS and NAT

Similar Messages

• ACS replication and NAT

  Hi all,
  I've the following question: is it possible to set up a replication between 2 server running the same version of ACS, but with 1 server behind a PIX running static NAT (private IP address of one server is statically mapped to a public address)?
  I was able to manage the replication when the two servers on the same LAN, but when I move the second server on the private LAN I obtain error "shared secret mismatch".
  Any idea?
  Thanks
  Regards
  Roberto

  ACs versions 3.1 and greater will not work with replication and NAT'ing. The security of the replication process was increased in these version, and the originating server hashes it's own IP address (the non-NAT'd version of it) into the data to be used as part of the verification process.
  If the receiving server sees this from a different IP address due to the NAT'ing then it will fail and produce the "shared secret mismatch" error you're seeing.
  Sorry, no way around it unfortunately.

• Cisco ASA Site to Site IPSEC VPN and NAT question

  Hi Folks,
  I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
  ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
  Just an example:
  Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
  The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
  It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
  Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
  Appreciate if someone can shed some light on it.

  Hi,
  Ok so were going with the older NAT configuration format
  To me it seems you could do the following:
  Configure the ASA1 with Static Policy NAT 
  access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
  Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
  If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
  On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
  access-list INSIDE-NONAT remark L2LVPN NONAT
  access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  nat (inside) 0 access-list INSIDE-NONAT
  You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
  ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  I could test this setup tomorrow at work but let me know if it works out.
  Please rate if it was helpful
  - Jouni

• ASA5505 SOHO public ip range and nat head ache

  Hello
  Can anyone shed some ligh on a problem im having. We have setup a ASA 5505 with an ISP called Zen that allocates you a subnet of public ip addresses. i have sucessfully  setup the asa to access the internet using nat on the outside interface. we would like to use the other ip addresses in the range for other services but i cannot think how i can do this/configure this.
  LAN > ASA5505 > VDSL Modem > ISP
  the range they have given us is
  Number of IP addresses: 8
  IP addresses: XX.XX.XXX.40 - XX.XX.XXX.47
  Subnet mask: 255.255.255.248
  Subnet in slash notation: XX.XX.XXX.40 /29
  Network address: XX.XX.XXX.40
  XX.XX.XXX.41
  XX.XX.XXX.42
  XX.XX.XXX.43
  XX.XX.XXX.44
  XX.XX.XXX.45
  XX.XX.XXX.46 Router
  Broadcast address: XX.XX.XXX.47
  Router address: XX.XX.XXX.46
  i have setup XX.XX.XXX.46 on the otside interface and hosts inside can access the net and nat from the internet to internal devices all work.
  we have a vdsl modem connected to the outside interface and using PPPoE we dynamically get the XX.XX.XXX.46/32 address.
  Is there any way i can use the other spare addresses? i do see how i can use them. i have done a lot of browsing and the only way i see that other people have been able to do this is using a layer3 device and using ip unnumber of the external int point to a loopback,
  any info or advice would be gratefully received.
  regards
  C.

  Hello
  the version is Cisco Adaptive Security Appliance Software Version 9.2(2)4
  debugging icmp i see pings to the .46 address however i see no pings/traffic received on the asa for the other addresses. how does zen know to route the xx.xx.xx.41 to .45 ip addresses to the firewall using the .46 address?
  the nat rules i have are
  nat (Vlan200_Int,Outside_Dirty_Int) dynamic interface < this works for lan access to the internet
  nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp www 65100
  nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp https 65101
  access-list Outside_Dirty_Network_access_in extended permit tcp object Click_PC object ESXi object-group DM_INLINE_TCP_7
  object-group service DM_INLINE_TCP_7 tcp
  port-object eq 902
  port-object eq www
  port-object eq https
  thanks for the help

• Internal DNS server and NAT routing issue.

  Hi -- I am not terribly experienced with DNS and I am running into an issue that I can't seem to resolve. My company.com DNS information is hosted by an outside ISP for email, web, etc... but I have configured an A record there to point to the public IP to my mac os x server (server.company.com).
  We have a cisco router configured with one to one NAT from the public IP to the internal IP for our server in a 192.168.15.x subnet. The same router is running DHCP and and NAT on that subnet under a different public IP provided by our ISP.
  Our server is running DNS with recursion and has a "company.private" zone set up for internal services and machine names. Thus, the server is accessible via "server.company.com" from the outside and "server.company.private" from the private LAN.
  The problem is that I would like to be able to access some services simply via "server.company.com" both inside and outside the private network. Now, accessing the "server.company.com" services from the private lan does not work because the name resolves to the external IP and the external IP cannot be used internally due to NAT.
  Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
  I know that I could manually duplicate all entries for our domain from my ISP and host the same entries for internal clients, but it would be much easier to only have our server handle requests for itself. The server is running OS X Server 10.4.11.
  Thanks

  Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
  Ordinarily, no. Once your server thinks it is responsible for a zone (e.g. company.com) then it will answer all queries for that domain and never pass them upstream. Therefore you'd have to replicate all the zone data, including all the public records, and maintain them both.
  The one possible exception to this (I haven't tried) is to create a zone for server.company.com that has your internal address. In theory (like I said, I haven't tried this), the server should respond to 'server.company.com' lookups with its own zone data and defer all other lookups (including other company.com names since they're not in a zone it controls). Might be worth trying.

• Apple Airport Extreme Base Station for PPPoE, DHCP and NAT with ActionTec DSL modem

  I just spent several hours trying to track down proper instructions for setting up my Apple AEBS to do the PPPoE, DHCP and NAT while connected to an ActionTec M1000 (no wireless module).  It turns out my initial set ups on both devices were correct, but that the order for rebooting and reconnecting the two devices is critical.  All of the threads I found on this forum and on many others suggested this was not possible, but it is.  What I don't yet know is whether it is the best method for running my home network DSL connection to my ISP (CenturyLink). 
  The instructions I found that worked come courtesy of Brandon Konkle's blog and are both simple and clear:  http://brandon.konkle.us/post/19637529637/centurylink-actiontec-q1000-airport-ex treme-bridge
  The proper settings for the ActionTec DSL Modem can be found under Advanced Setup/IP Adressing/WAN IP Address
  Click RFC 1483 Transparent Bridging then click on Apply.
  (see also http://qwest.centurylink.com/internethelp/modems/m1000/pdf/M1000_BRIDGE.pdf )
  To reduce time, do this BEFORE you reset your AEBS then set the AEBS so that you don't have to wait for the AEBS to reboot. 
  In contrast to what Brandon described for the Q1000 modem, my AEBS never reconnected to the modem (he describes his as getting an IP from his ISP, then dropping it then getting another over and over - mine never got an IP).  Once you have reset both devices as described, the critical steps I have not found described elsewhere were:
  1.  Disconnect the power from both the modem and the Airport Extreme.
  2.  Disconnect the Ethernet cable between the two devices
  3.  Restore power to the 2 devices and allow them to fully reboot.  For the ActionTec M1000, this is indicated when the lights stop blinking.  (Note that the Internet light will NOT be lit in this instance since the modem is acting only as a bridge.  You will NOT have an Internet connection until the AEBS is reconnected.)  The AEBS will be blinking yellow.
  4.  Reconnect the Ethernet cable between the devices (make sure on the M1000 that you are using the connector with the circle icon over it, not the arrow icon).
  Within about 60 seconds, the AEBS light went to steady green and the connection to the Internet was restored.
  Now I have to see if this is a more stable configuration than the flaky one I had before while using the AEBS as a bridge and the M1000 to do everything. 
  Does anyone think or know if it will make a difference?
  Message was edited by: Bud Shaw

  Now I have to see if this is a more stable configuration than the flaky one I had before while using the AEBS as a bridge and the M1000 to do everything.
  Does anyone think or know if it will make a difference?
  No one can accurately predict in advance what the actual results might be. I've tried both ways with different products and cannot say that one method is better than the other.  What works is best.
  In theory, it is preferable to have the modem provide the PPPoE connection service since it is the device connected directly to the Internet.
  In practice, results vary depending on the service provider, products used, phase of the moon, alignment of the planets, etc.

• How to set up DHCP and NAT for QNAP NAS MyCloud service?

  I have an Apple AirPort Extreme Base Station (AEBS) attached to my DSL model (no router in the modem).  My QNAP NAS is attached via ethernet to the QNAP NAS.  My iMac (running AirPort Utility 6.x) is connected to the AEBS via wifi.
  I've found several folks who've tried this (and apparently succeeded) but I'm a networking novice and am having trouble making this work.  What I did was to go into the AirPort utility and in the networking section configure "DHCP and NAT" and then called out the static IP and MAC address of the QNAP NAS (as well as the ports I'd like to remain open).  However, when I did this and applied the changes, my iMac (connected to the AEBS via wifi) could no longer see the AEBS, which then required me to reset the AEBS, re-configure it back to the previous known good conifiguration and start over.  After about 5 cycles of this I gave up.
  So, what am I doing wrong here?  Do I need to go in and configure every device that is going to access the AEBS as static and call out each device's IP and MAC address? (hopefully not, that'd be a major PITA).
  Help.  Anyone?

  When I run diagnostics with the QNAP, here is the reply I get (IPs redacted):
  ------ NAT PMP Diagnostics ------
  initnatpmp() returned 0 (SUCCESS)
  using gateway : xx.x.x.x
  sendpublicaddressrequest returned 2 (SUCCESS)
  readnatpmpresponseorretry returned 0 (OK)
  Public IP address : 192.168.xxx.xxx
  epoch = 2621
  closenatpmp() returned 0 (SUCCESS)
  ------ UPnP Diagnostics ------
  upnpc : miniupnpc library test client. (c) 2006-2011 Thomas Bernard
  Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
  for more information.
  List of UPNP devices found on the network :
  desc: http://xx.x.x.x:60606/8CC1212D0C6D/Server0/ddd
  st: upnp:rootdevice
  desc: http://xx.x.x.x:9000/TMSDeviceDescription.xml
  st: upnp:rootdevice
  desc: http://xx.x.x.xx:55000/nrc/ddd.xml
  st: upnp:rootdevice
  desc: http://xx.x.x.xx:55000/dmr/ddd.xml
  st: upnp:rootdevice
  desc: http://xx.x.x.xx:49152/4/description.xml
  st: upnp:rootdevice
  desc: http://xx.x.x.xx:49152/2/description.xml
  st: upnp:rootdevice
  desc: http://xx.x.x.xx:49152/0/description.xml
  st: upnp:rootdevice
  desc: http://xx.x.x.xxx:8200/rootDesc.xml
  st: upnp:rootdevice
  desc: http://xx.x.x.xxx:49152/gatedesc.xml
  st: upnp:rootdevice
  desc: http://xx.x.x.xxx:49153/gatedesc.xml
  st: upnp:rootdevice
  desc: http://xx.x.x.xxx:49155/gatedesc.xml
  st: upnp:rootdevice
  desc: http://xx.x.x.xxx:9000/TMSDeviceDescription.xml
  st: upnp:rootdevice
  UPnP device found. Is it an IGD ? : http://xx.x.x.x:60606/
  Trying to continue anyway
  Local LAN ip address : xx.x.x.xxx
  GetConnectionTypeInfo failed.
  Status : , uptime=3217870016s, LastConnectionError :
    Time started : Wed Mar 13 17:04:03 1912
  MaxBitRateDown : 7 bps   MaxBitRateUp 0 bps
  GetExternalIPAddress() returned -3
  GetExternalIPAddress failed.
  GetGenericPortMappingEntry() returned -3 ((null))

• ACS and Windows Domain / AD

  Hi All,
  In my environment there are two Windows Domain - Doamin A and B. ACS is configured on member server in domain B and hence Windows Authentication for users in Domain B is working fine. However I'm unable to see domain A in Configure Domain List on ACS server in Windows Domain configuration menu.
  Please note, there is one way trust between domain A and B with Domain A trusting Domain B.
  Is there a way I can use the same instance of ACS to authenticate the users in Domain A as well? If YES, can you please guide me with some pointers - thanks.
  I'm using ACS and Windows AD elements to authenticate users for SSL Web VPN on ASA 5540.
  Apprecaite quick help on this.
  -Satishcp

  Unfortunatley we are not using the Cisco Secure ACS Appliances, rather its ACS Ver 3.3 running on Windows 2000 Server (member server in Domain B).
  My guess Remote Agents for Windows / Solaris works with Appliances alone.

• Problem with passive mode FTP server and NAT

  Hi,
  I have a problem with Passive mode FTP and NAT.
  I am trying to run both an FTP server and sharing the Internet connection via NAT. I have by the way specified the passive ports to use in ftpaccess (65000-65534). Everything works fine until someone tries to connect via Passive mode. I have tracked the problem down to the firewall and the rule that handles NAT.
  Firewall rule config without NAT:
  00001 allow udp from any 626 to any dst-port 626
  01000 allow ip from any to any via lo0
  12300 allow ip from any to any
  65535 allow ip from any to any
  Firewall rule config with NAT
  00001 allow udp from any 626 to any dst-port 626
  00010 divert 8668 ip from any to any via en1
  01000 allow ip from any to any via lo0
  12300 allow ip from any to any
  65535 allow ip from any to any
  So, passive ports do not work when NAT is on. If I turn it off, Passive ftp works like a charm.
  But how do I solve my problem? I have in my quest for the answer stumbled upon "-punch_fw" but do not know how to use it or if it even helps me at all?
  Best regards,
  Peter
  B&W G3 Mac OS X (10.4.5)

  Media/Lacrosse-1-tiny.3gp
  I can't find the file on your server.
  They may also need to edit the .htaccess file to allow the .3gp file extension be used. Call them.

• ACS and Windows Server

  I have installed ACS 5.2 on a machine and I am trying to integrate with that Windows Server 2003 ( Active Directory ) . On the ACS when i do test connection it shows me sucess but when i save the setting it gives me Time error . I kept the clock and timezone of Active Directory and ACS server as same but still it gives me error . I read on one of the blog that it is better to configure NTP on a router and then sync both the devices with same NTP .
  Is it necessary to configure NTP or manual config should also work ?

  I have ran into issues like what you are seeing without using NTP. I would suggest setting up NTP and having ACS and your servers sync to that.
  Sent from Cisco Technical Support iPhone App

• ACS and Windows 2000 user database communication port

  Could my Windows 2000 SP4 + ACS v3.23 can install any new Windows 2000 service pack ?
  I'm affraid to infect ACS Service.
  So, I want to install firewall on this server to block malicious traffic.
  However, my ACS used external user database Windows 2000 for authentication.
  Who can tell me What protocols or port list they are communication?
  I have to avoid these traffic on my firewall.

  Hi cheng
  I think you can install any servie pack without problem and the SP4 is the latest one for WIN2000 and you server already has this SP
  For your second question you need to specify many protocols according to your active directory config in this link you can find a list of this protocols and the best way is to make debug or logging or use a siniffer to know the exactly protocols flow between your ACS and AD server
  http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
  Best Regards

• Can i configure a network with ACS and ISE?

  I have both acs and ise, how do i integrate these appliance to work togheter?
  Thanks

  ISE does not interoperate with Cisco Secure ACS deployments. The Cisco Identity Services  Engine can work in tandem with Cisco NAC Manager to provide the same  profiling service as the NAC Profiler, which has reached end-of-sale  status.
  Existing Cisco Secure ACS customers using network  access can easily migrate to the Cisco Identity Services Engine platform  using migration part numbers and tools. However, existing Cisco Secure  ACS customers using TACACS functions will not be able to migrate to the  current version of ISE for network device identity management which is  often acceptable for customers who prefer to keep user and network  identity on separate systems.

• ACS and HA

  Hello,
  The purpose is to use a 802.1X authentication with ACS server, AD and high availibility.
  I have 2 sites with one AD with a 4 mega link bandwidth and one ACS for each site.
  I know that it is possible to use ACS active/passive mode with replication of database.
  but I also read that it's possible to use 2 groups on ACS and use HA,and my question is
  In my configuration with one AD and 2 ACS, can I use this functionality ?
  Is it possible to know the bandwidth between ACS in case of replication or active/active mode?
  Regards

  You can make it active / active too... Second Only one AD it is not at all problem. As sson as it need one IP or Name of AD server. Specify same name at both server. It will be replicate.
  Regards,
  Dharmesh Purohit

• Cisco Secure ACS and Windows NLB

  Hi,
  I have two ACS servers and have been trying unsuccessfully to setup Windows NLB for them. I can successful setup the NLB but ACS won't respond on the clustered IP. Other services running on the clustered IP will respond so I believe the NLB is working correctly.
  Has anyone had any success with ACS and Microsoft NLB? I can?t find any documentation to suggest that they are incompatible but I think this may be the case.
  Thanks,
  Neil

  Neil,
  ACS is not tested with NLB but if cluster hosts are attempting to communicate with the ACS using their clustered IP then ACS should reply.
  Do you see any hits on acs ? If you sniff the acs interface, what is the source IP address ? Is it clustered ip or clustered host IP ??
  Also on acs --->Network configuration add aaa client with host IP and clustered ip . Now see if acs responds to NLB.
  Regards,
  ~JG

• ACS and CAR integration

  Hi,
  Is it possible to integrate ACS and CAR with DB-2 Database and if yes, are there any limitations or issues related to that? Does CAR or ACS loose any functionality in such integration?
  I am not looking for detailed process of the integration at this time, all I want to know is if it is supported and are there any issues.
  Thanks,
  Habib U Dashti

  Hi Habib,
  Yes, ACS can be integrated with DB-2, as ACS is ODBC compliant and so as DB-2, The other way round is that you can convert DB-2 database in flat file structure and import it into ACS database. Regarding limitations or issues i do not have any info.
  And CAR has its own database & does not support DB-2.
  Thanks.