SA520 policy-nat for IPsec

I'm evaluating the SA500 series. Running v1.1.42. I do not immediately see a way to do policy-nat. Does the feature not exist?

It would be like-
access-list POLICY_NAT extended permit ip
static (inside,outside) access-list POLICY_NAT
access-list OUTSIDE_CRYPTOMAP extended permit ip < destination >
Thanks
Ajay

Similar Messages

Static Policy NAT in VPN conflicts with Static NAT

I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
interface Vlan1
ip address 192.168.10.1 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
static (inside,outside) 192.168.24.0 access-list VPN
crypto map outside_map 1 match address outside_1_cryptomap
In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
What am I missing?

Hi,
To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
So I am not sure are we looking at some bug or what the problem is.
I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
access-list STATICPAT-SMTP permit tcp host eq smtp any
static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
access-list STATICPAT-HTTPS permit tcp host eq https any
static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
access-list STATICPAT-RDP permit tcp host eq 3389 any
static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
access-list STATICPAT-POP3 permit tcp host eq pop3 any
static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
Naturally you would add the Static Policy NAT for the VPN first.
Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
Remember that you should be able to test the translations with the "packet-tracer" command
For example
packet-tracer input outside tcp 1.1.1.1 12345
- Jouni

Make nat for one of IPSECs.

I have interfaces:
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address XXXXXXXXXXXX
interface Ethernet0/1
speed 100
nameif inside
security-level 100
ip address 10.10.11.254 255.255.252.0
I have two running IPSECs:
office# sh run | i SECURE 60
crypto map SECURE 60 match address 154
crypto map SECURE 60 set peer XXXXXXXXXXX
crypto map SECURE 60 set transform-set XXXXXX
crypto map SECURE 60 set security-association lifetime seconds 28800
office# sh run | i 154
access-list 154 extended permit ip 10.10.8.0 255.255.252.0 10.216.21.0 255.255.255.0
access-list 154 extended permit ip 10.10.8.0 255.255.252.0 10.213.21.0 255.255.255.0
office# sh run | i SECURE 7
crypto map SECURE 7 match address 174
crypto map SECURE 7 set peer XXXXXXXXX
crypto map SECURE 7 set transform-set cheloffice
office# sh access-list 174
access-list 174; 4 elements; name hash: 0x3c4d6b51
access-list 174 line 1 extended permit ip 10.216.21.0 255.255.255.0 10.10.74.0 255.255.255.0 (hitcnt=2) 0xd111355f
access-list 174 line 2 extended permit ip 10.213.21.0 255.255.255.0 10.10.74.0 255.255.255.0 (hitcnt=2649) 0x8a0e6120
access-list 174 line 3 extended permit ip 10.10.8.0 255.255.252.0 10.10.74.0 255.255.255.0 (hitcnt=2658) 0xd0cbe48f
access-list 174 line 4 extended permit ip 10.3.0.0 255.255.0.0 10.10.74.0 255.255.255.0 (hitcnt=215) 0xea945cf7
office#
10.213.21.0/24 don't know about 10.10.74.0/24. I want to make nat for 10.10.74.0/24.
I did:
global (outside) 74 10.10.10.128 netmask 255.255.255.248
nat (outside) 74 10.10.74.0 255.255.255.0
But I still can't access from 10.10.74.1 to 10.213.21.1.
I see nat works:
office# sh nat ou ou
match ip outside 10.10.74.0 255.255.255.0 outside any
    dynamic translation to pool 74 (10.10.10.128)
    translate_hits = 0, untranslate_hits = 0
office#
Packet tracer shows:
office# packet-tracer i o i 10.10.74.1 0 0 10.213.21.1
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE in interface outside
access-list OUTSIDE extended permit icmp any any echo-reply
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description netflow
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: NAT
Subtype:
Result: DROP
Config:
nat (outside) 74 10.10.74.0 255.255.255.0
match ip outside 10.10.74.0 255.255.255.0 outside any
    dynamic translation to pool 74 (10.10.10.128)
    translate_hits = 1, untranslate_hits = 0
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
So, what I'm missing?

Hi Sergey,
Pankaj is rigtht.
You should better use the nat extemption for the traffic between two peers connected via VPN, also if the traffic come from the outside intf and exits the same interface.
But, actually, the last two words I wrote, "same interface", are very important: by default firewalls (at least Cisco ones) don't let the same traffic enter an intf and exit the same intf. I said by default, yes, but you can change it applying the config command:
same-security-traffic permit intra-interface
If you haven't already enabled this, it's necessary you have to.
Also, I'd better put the "set reverse-route" line in the crypto map conf for both tunnels. Yes, from the packet tracer I can see you have a default route, but for VPN tunnels I always prefer to specify it, just to be sure.
Best regards,
Alessio

Static NAT with IPSec tunnel

Hi,
I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office. I am fairly new to networking so forgive me if I ask some really silly questions!
I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch. These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel. What I wanted to do was create another vlan, give this a different subnet. Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall.
From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work. I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
The configuration can be seen below for the NAT part;
! Denies vpn interesting traffic but permits all other
ip access-list extended NAT-Traffic
deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
permit ip any any
! create route map
route-map POLICY-NAT 10
match ip address NAT-Traffic
! static nat
ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down. Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
Am I along the right lines in terms of configuration? And if not can anyone point me in the direction of anything that may help at all please?
Many thanks in advance
Brian

Hi,
Sorry to bump this thread up but is anyone able to assist in configuration? I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
Thanks
Brian

Policy Nat on cisco router

Hi Dears.
I configurated site to site vpn on router. The peer want interesting traffic to our side user subnet must be 10.193.115.11 but our local subnet is
10.103.70.0/24. our local subnet is also access to internet.
local subnet: 10.10.3.70.0/24
peer local subnet: 10.193.128.11/23
i think that i must be do policy nat.
1. ip access-list extended vpn-traffic
permit ip 10.193.115.0 0.0.0.255 10.193.128.0 0.0.1.255
2. ip access-list extended nat-ipsec
permit ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255
3.ip nat pool mswpool 10.193.115.1 10.193.115.14 netmask 255.255.255.240
ip nat inside source list nat-ipsec pool mswpool
And i have also PAT Nat for local user.
access-list 100 permit ip 10.103.70.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/0 overload
is this configuration rigth?
please write your comment.
thanks.

ok. thanks.
at last our configuration is that:
access-list 100 deny ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255
access-list 100 permit ip 10.103.70.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/0 overload
for vpn traffic:
ip nat pool mswpool 10.193.115.1 10.193.115.14 netmask 255.255.255.240
ip nat inside source list nat-ipsec pool mswpool
ip access-list extended vpn-traffic
permit ip 10.193.115.0 0.0.0.255 10.193.128.0 0.0.1.255
ip access-list extended nat-ipsec
permit ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255
you said that this configuration is help me for my aim.
thanks again.

Policy NAT 8.6(1)2 Windows Server Cluster

We have 2 email servers in a cluster on the network. I have the cluster IP address configured for Object static NAT. This works great for email coming into our organization. However, when either of these 2 email servers send mail, they send using their configured IP address which is different from the cluster IP address. Thus, the NAT'd address is different than for incoming. It hasn't been an issue to this point, but I would like to be able to send SMTP from either server and have it NAT to the same IP used for the cluster IP. This way, any reverse DNS lookups on the internet would show a consistent IP to name mapping for our mail servers. I've attached a diagram. If there is a way to force the cluster servers to use the cluster address on the Windows server side, that could be an option as well.
Thanks,
Andrew

Hi,
The actual NAT configuration used depends on how your Dynamic PAT rule for all the users of the network is configured at the moment. Mainly is it Auto NAT or Manual NAT.
Though naturally I can give you an example that includes both Dynamic PAT for all users and Dynamic PAT for the Mail servers and the Static NAT for incoming mail.
MAIL SERVER STATIC NAT
object network MAIL-SERVER
host 10.0.0.1
nat (inside,outside) static 10.10.10.140
The above configuration is the basic Static NAT configuration for a host using Auto NAT / Network Object NAT. It could be done with Manual NAT / Twice NAT also but I prefer Auto NAT / Network Object NAT
MAIL SERVER DYNAMIC PAT
object-group network MAIL-PAT-SOURCE
network-object host 10.0.0.1
network-object host 10.0.0.2
network-object host 10.0.0.3
object network MAIL-SERVER-PUBLIC
host 10.10.10.140
nat (inside,outside) after-auto source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
The above is a normal Dynamic PAT configuration (no Policy elements involved).
The key thing to notice here is that we are entering this to the ASA before the next Dynamic PAT that catches all the rest of the source IP address. One thing to notice also is that its a Section 3 NAT rule (the lowest priority) so that it wont override any other NAT rules like the above Static NAT.
I you had your existing Dynamic PAT for all users already with a similiar configuration than last configuration example then you would have to add a line number to the NAT configuration like this
nat (inside,outside) after-auto 1 source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
DEFAULT DYNAMIC PAT FOR USERS
nat (inside,outside) after-auto source dynamic any interface
The above is just an Dynamic PAT configuration that catches all source addresses from behind the "inside" interface and does Dynamic PAT for them when connecting to networks behind "outside". As this is inserted to the configuration after the above command it will be at a lower priority and wont apply for the 3 source hosts we specified above.
I wonder if I made this out to be more complicated than it needs to be
I guess the easiest way to determine the configuration you will need/want would be to see the current NAT configuration on the ASA
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni

DAP rule for IPSec clients

I'm setting up DAP rules for AnyConnect clients. When I set the default policy to terminate, I get the right results from AnyConnect connections, but all IPSec clients cannont connect. I know I need to set up a DAP rule for IPSec clients to allow them through, but can't remember how to set that up.

Ok, that worked. Follow-up question though. So the only thing I'm looking at doing right now is setting up a policy to look at Anti-virus and disallow if the signature is more than a week old. Works fine with the AnyConnect. But if I add that to the IPSec rule (app = ipsec and av exists (< 7 days), it won't let the IPSec client connect at all. I seem to recall something about if we're doing posturing with IPSec client, we have to use endpoint assesment or pre-login policy? Is that the case; it would be nice to do it all w/in one DAP rule.
Thanks
Brian

Bypass NAT for single printer IP

Hi all,
I posted a while ago that we were having problems translating an IP for a printer (located here https://supportforums.cisco.com/message/4099013#4099013)
We still haven't been able to get it working and thought about another approach which is to leave the printer IP as a 10.100.x.x IP and instead set up the ASA to bypass the NAT for this IP so it doesn't get translated.
Is this possible and how would i go about doing it?
Many thanks
Jamie

Yeah its really frustrating that we can't solve it.
Regarding the ports, we have a piece of software that apparently needs to communicate on 52221, 52222 and HTTPS (443) but it still doesn't seem to communicate. Apparently that IP in the config is the source but i wouldn't mind opening those ports globally for all IPs.
Here is the current config.
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.100.104.2 255.255.248.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.29.8.1 255.255.248.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa845-k8.bin
ftp mode passive
object network any-inside
subnet 0.0.0.0 0.0.0.0
object network TSTC-Printing
host 172.29.8.20
object service tcp_9100
service tcp source eq 9100 destination eq 9100
object network TCSC-Printing
object network PRINTER
host 10.100.104.20
object network Portico
host 172.29.8.46
object network Eportal
host 172.29.8.36
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq 52221
port-object eq 52222
port-object eq https
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 172.29.8.20 eq 9100
access-list outside_access_in remark Form Pearson Exam Software
access-list outside_access_in extended permit tcp host 212.62.15.118 any object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit object tcp_9100 any host 10.100.104.20
access-list outside_access_in extended permit ip any object TSTC-Printing
access-list outside_access_in extended permit ip any object Portico
access-list outside_access_in extended permit ip any object Eportal
access-list PRINTER-CAPTURE extended permit ip host 10.100.104.20 any
access-list PRINTER-CAPTURE extended permit ip any host 10.100.104.20
pager lines 24
logging enable
logging timestamp
logging monitor informational
logging buffered informational
logging trap informational
logging asdm informational
logging host inside 172.29.10.226 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
object network any-inside
nat (inside,outside) dynamic interface
object network TSTC-Printing
nat (inside,outside) static 10.100.104.20
object network Portico
nat (inside,outside) static 10.100.104.5
object network Eportal
nat (inside,outside) static 10.100.104.4
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.100.104.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable 1234
http 192.168.1.0 255.255.255.0 management
http 172.29.8.0 255.255.248.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 172.29.8.0 255.255.248.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.10-192.168.1.20 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username password encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
Many thanks

Policy nat address pool

I have an internal firewall between two private networks.
I want all addrssing on the inside to use the gobal and I want any internal address destined for a group of servers on port 23 on the external to use a pool of addreses
the inside network is 10.0.0.0/8 and the destination subnet is 10.130.29.0/25. routes exist and connectivity works
heres the config
global (outside) 1 10.130.29.2
nat (inside) 1 access-list nat
access-list nat deny ip host 10.7.2.206 any
access-list nat deny ip host 10.7.2.207 any
access-list nat permit ip any any
ive added:
object-group network SERVERS
network-object host 195.104.88.151
network-object host 195.104.88.152
network-object host 195.104.88.153
access-list serv_acl permit tcp 10.0.0.0 255.0.0.0 object-group SERVERS eq 23
global (outside) 2 10.130.29.117-10.130.29.126 netmask 255.255.255.128
nat (inside) 2 access-list serv_acl
the SERVERS are destined for another network byond the firewall but I need to translate any address from the internal to pool 2. I can connect using the global but after applying the added config above the connection is still using the global. the xlate was cleared.
Is the subnet mask correct for the pool?
any help appreciated.

Hi,
So you say that your traffic is hitting the original Dynamic Policy PAT rule after configuring the new Dynamic Policy NAT rule?
I think this is because of the NAT ordering.
I am not sure if the "ID" of the NAT configuration has any meaning but I would try changing the NAT configuration in the following way
no global (outside) 1 10.130.29.2
no nat (inside) 1 access-list nat
global (outside) 100 10.130.29.2
nat (inside) 100 access-list nat
Then perhaps "clear xlate" if situation permits.
This should do so that the new Dynamic Policy NAT rule is the first to be matched and the original rule comes after that.
Notice that the original rule has a "permit ip any any" ACL rule which matches all traffic. So everything gets matched to it and wont get matched to the new rule.
Can you try this out and see how it goes.
- Jouni

PDM does not support Policy nat

I have had to build a vpn on a pix 6.34 using policy nat, however this has now made the pdm pratically unusable, is there a way to do this without disabling the pdm?

Yes it is possible to configure NAT with PDM. Make sure the static NAT configuration is right.
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694. For example static (DMZ, inside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0 . Format should always be Static(DMZ, *) if x.x.x.x is on DMZ.

No log for am policy agent for iis6

Hello!
Im trying to get Policy Agent for IIS to run on my Win Srv 2003 with IIS6 and Sharepoint Services.
I am running the OpenSSO version of Access Manager.
I have installed the agent and done the initial cofiguration.
When i try to browse the resource i get a login prompt (IIS Basic Auth)and cannot login followed by "Not Authorized 401.3"
I should get redirected to the AM Login page, shouldn't I?
I tried to look for answers in the log file but the /debug/<id> directory i empty.
Anyone know what to do?
The amAgent.properties file:
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://login.lta.mil.se:8080/opensso/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://login.lta.mil.se:8080/opensso/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.sharepoint.lta.mil.se.80
# Set the logging level for the specified logging categories.
# The format of the values is
# <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
# 0 Disable logging from specified module*
# 1 Log error messages
# 2 Log warning and error messages
# 3 Log info, warning, and error messages
# 4 Log debug, info, warning, and error messages
# 5 Like level 4, but with even more debugging messages
# 128 log url access to log file on AM server.
# 256 log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level = 5
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = PN4rEZ1uhx1404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = C:/Sun/Access_Manager/Agents/2.2/iis6/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://sharepoint.lta.mil.se:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organiz ational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_BOTH
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://sharepoint.lta.mil.se:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = sharepoint.lta.mil.se
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = true
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port = true
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAuthFilter

If the agent doesnot start properly you would always get redirected to com.sun.am.policy.agents.config.accessdenied.url , if thats not specified you will get a 403.
For the agent itself check that the naming.url is correct. the agent username and passwords are correct, and see that the user has priviledges to write to the agent log files. Apart from these post the windows event logs.

Does the 2.1 web policy agent for Windows 2003 work on a 64 bit OS ?

Does the 2.1 web policy agent for Windows 2003 work on a 64 bit OS ?
I have a customer having a world of issues getting the agent to start.
Jeff Courtade

No. 64bit support is not there for 2.1 agents on Windows.
-Subba

Unable to locate unrestricted policy files for the Sun JCE for download

My platform:
java version "1.6.0_26"
Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
Oracle JRockit(R) (build R28.1.4-7-144370-1.6.0_26-20110617-2130-windows-x86_64, compiled mode)
I am unable to locate the Unlimited Strength Jurisdiction JCE files.
According to BouncyCastle for Java 1.6:
..."you must download the unrestricted policy files for the Sun JCE if you want the provider to work properly. The policy files can be found at the same place as the JDK download. Further information on this can be found in the Sun documentation on the JCE."

The version at the very bottom of http://www.oracle.com/technetwork/java/javase/downloads/index.html should work.

Open Nat for WRT54GSV4

Ok i been tryin to get my NAT set to open for MW2 for abit now but cant seem to figure out what the problem is. Can anyone please help me with opening the NAT for this router for Modern Warfare 2 on the PC, not Xbox or PS3. Any help would be appreciated thanks.

Honestly ive never had to mess with my routers ports before and honestly dont know exactly how to do it right. I know where to go in the routers settings im just abit foggy on what numbers to put in where. There are 4 boxes across each line 2 for port triggering and 2 for port forwarding, then the option to enable it. Dont mean to sound like an idiot but abit more help would be greatly appreciated Thanks for the help btw greencross

Authorization issue with J2EE Policy Agent for AS7

Following the documentaion I have created a simple J2EE application with a servlet and 2 jsp's. The 2 JSP's customer.jsp and admin.jsp are mapped to /customer and /admin. The entire web application is subject to a filter like:
<filter>
<filter-name>Agent</filter-name>
<display-name>Agent</display-name>
<description>SunTM ONE Idenitity Server Policy Agent for SunTM ONE Application Server 7.0</description>
<filter-class>com.sun.amagent.as.filter.AgentFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Agent</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The two resources /customer and /admin are subjected security constraints like:
<security-constraint>
<web-resource-collection>
<web-resource-name>col2</web-resource-name>
<url-pattern>/customer</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>customer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
The role-to-principal mapping is done in the sun-web.xml like:
<security-role-mapping>
<role-name>customer</role-name>
<group-name>customer</group-name>
<principal-name>amAdmin</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>admin</role-name>
<group-name>admin</group-name>
<principal-name>amAdmin</principal-name>
</security-role-mapping>
Two roles 'customer' and admin are created via the identity server console and users are added to these roles.
The application deploys OK, when the app is accesed the user is redirected to the identity server and is authenticated fine. The user is directed to the main servlet and is allowed to access the the two jsp's. All is good till now, when the user access one these links say /customer, access is denied (403). The server logs prints out:
[21/May/2003:10:34:24] FINE ( 6036): servletPath = /customer
[21/May/2003:10:34:24] FINE ( 6036): pathInfo = null
[21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Process request for '/idssample/customer'
[21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Checking for SSO cookie
[21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: SSO cookie is not present
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Security checking request GET /idssample/customer
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: We have cached auth type PROGRAMMATIC for principal amAdmin
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> false
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> true
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Subject to constraint SecurityConstraint[col2]
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling checkUserData()
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User data constraint has no restrictions
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling authenticate()
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User authentication is not required
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling accessControl()
[21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL : amAdmin hasRole?: customer
[21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL TABLE: {}
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Failed accessControl() test
[21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin)
[21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin) => java.util.Vector$1@bb60ad
Now, snooping around I have found that the AgentRealm.getGroupNames(userdn) does
return the correct grops viz. customer,admin,anyone.
PLEASE HELP

-- Second Update --
After policy installation I got several problems with PeopleSoft configuration. Which finally were solved.
1. Some URL's has to be defined as not enforced.
com.sun.am.policy.amFilter.notenforcedList[1]=/ps/images/*
com.sun.am.policy.amFilter.notenforcedList[2]=*.css
com.sun.am.policy.amFilter.notenforcedList[3]=*.ico
2. In versions older than PeopleSoft 8.4.2 the policy agent modified the file
/opt/fs/webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/psftdocs/ps/configuration.properties to add the properties:
byPassSignon=TRUE
defaultUserid="DEFAULT_USER"
defaultPWD="your password"
signon_page=amsignin.html
signonError_page=amsignin.html
logout_page=amsignin.html
expire_page=amsignin.html
However, in the newer versions of PeopleSoft this properties are controled from the online Peoplesoft console. Which are set on:
PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Security --> In section "Public Users" the parameters that has to be changed are:
Allow Public Access (cheked)
User ID : DEFAULT_USER
Password : your password
HTTP Session Inactivity : (SSO TIMEOUT)
and:
PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Look and Feel -->
In section "SignOn/Logout" set the following values:
Signon Page : amsignin.html
Signon Error Page : amerror.html
Logout Page : amsignout.html
Note: After making any changes on the console; restart PIA (weblogic instance).
With this the SSO with PeopleSoft is working Ok.
Message was edited by:
LpzYlnd

SA520 policy-nat for IPsec

Similar Messages

Maybe you are looking for