TUNNEL UP BUT NO TRAFFIC PASSING THROUGH

Similar Messages

• Does user traffic pass through Controller and Aironet 1030?

  Hi All,
  I want to beat out some questions that I cannot find exactly guideline in Cisco. I intend to implement 2 Airespace 2000 controller and some 1010s and one 1030 to my main office and branch office. At present, there is a 512kbps WAN link between this two office. So I don't want to let the traffic within the branch office to pass through the WAN link. Therefore, I intend to use the solution that 1 controller stay in main office to serve the 1010s in main office and 1 controller stay in remote office to serve the 1010s in remote office. But the remote site only needs 1 AP, thus I would like to use one 1030 to stay in branch office and 2 controller stay in main office to perform controller's redundancy. I would like to know Does the clients' traffic pass through the link between 1030 and controller as the same as 1010? I does very confuse whether 1030 has this feature because I found some blur instruction of 1030 in Cisco.
  Further, if I place one of the controller in remote office, how can I control the APs in remote office to choose the local controller instead of the controller in main office using Layer 3 discovery method? Does any know? Thanks!
  Jason,
  best regards,

  Hi Jason,
  Hopefully this info will clear this up for you;
  Q. Can I install an access point (AP) at a remote office and install a Cisco WLC at my headquarters? Does the Lightweight AP Protocol (LWAPP) work over a WAN?
  A. Yes, you can have the WLCs across the WAN from the APs. LWAPP works over a WAN. Use Remote Edge AP (REAP) mode. REAP allows the control of an AP by a remote controller that is connected via a WAN link. Traffic is bridged onto the LAN link locally, which avoids the need to unnecessarily send local traffic over the WAN link. This is precisely one of the greatest advantages of having WLCs in your wireless network.
  Note: Not all lightweight APs support REAP. For example, the 1030 AP supports REAP, but the 1010 and 1020 AP do not support REAP. Before you plan to implement REAP, check to determine if the APs support it. Cisco IOS Software APs that have been converted to LWAPP do not support REAP.
  Q. I want to set up the Cisco 1030 Lightweight Access Point (AP) with a Cisco WLC in Remote Edge AP (REAP) mode. In this mode, is all wireless traffic tunneled back to the WLC? Additionally, if the AP cannot contact the WLC, what happens to the wireless clients?
  A. The 1030 AP tunnels all WLC traffic (control and management traffic) to the WLC via Lightweight AP Protocol (LWAPP). All data traffic stays local to the AP. The 1030 REAP can only reside on a single subnet because it cannot perform IEEE 802.1Q VLAN tagging. As such, traffic on each service set identifier (SSID) terminates on the same subnet on the wired network. So, while wireless traffic may be segmented over the air between SSIDs, user traffic is not separated on the wired side. Access to local network resources is maintained throughout WAN outages.
  At times of WAN link outage, all WLANs except the first is decommissioned. Therefore, use WLAN 1 as the primary WLAN and plan security policies accordingly. Cisco recommends that you use a local authentication/encryption method, such as the Wi-Fi Protected Access (WPA) Pre-Shared Key (WPA-PSK), on this first WLAN.
  Note: Wired Equivalent Privacy (WEP) suffices, but this method is not recommended because of known security vulnerabilities.
  If you use WPA-PSK (or WEP), properly configured users are still able to gain access to local network resources even when the WAN link is down.
  From this doc;
  http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008064a991.shtml
  Hope this helps!
  Rob
  Please remember to rate helpful posts.....

• Black box able to log traffic passing through...

  Hi
  I'm looking for a box able to sniff the tcp/ip traffic (source ip address, destination ip address and ports) passing from it's ingress interface to the egress interface and viceversa (useful the bypass option if this box fails) without any change of the traffic passing through, just logging it and sending this log to a syslog server.
  We need it as solution to be compliant with the new police law against computer criminals where is written that all the internet traffic has to be logged (we offer sometimes transparent internet access to our customers where we do not put any kind of equipment as firewall, proxy or something else, only the router providing the internet access).
  Do you know if Cisco provide something like that ? Other vendors ?
  Any other idea how to be compliant with this request ?
  Thanks
  Pls advise
  Ric

  Cisco Intrusion Prevention System Sensor can be used to log ip traffic. You can manually configure the sensor to capture all IP traffic associated with a host you specify by IP address. You can specify how long you want the IP traffic to be logged, how many packets you want logged, and how many bytes you want logged. The sensor stops logging IP traffic at the first parameter you specify.You can also have the sensor log IP packets every time a particular signature is fired. You can specify how long you want the sensor to log IP traffic and how many packets and bytes you want logged

• Only some of the traffic passing through inline vlan pair

  Here is my network setup
     firewall<---- >(g1/2)Coreswitch 6500 with IDSM(TG9/1)<-----> (TG9/1) Distrib switch with FWSM---------Accessswitch
  configuration in core switch
  interface GigabitEthernet1/2.11
  description **** ****
  encapsulation dot1Q 211
  ip vrf forwarding VRF11
  ip address 10.2.11.73 255.255.255.248
  ip ospf network point-to-point
  standby 1 ip 10.2.11.75
  standby 1 priority 110
  standby 1 preempt
  interface GigabitEthernet1/2.37
  description **** ****
  encapsulation dot1Q 237
  ip vrf forwarding VRF37
  ip address 10.2.37.73 255.255.255.248
  ip ospf network point-to-point
  standby 1 ip 10.2.37.75
  standby 1 priority 110
  standby 1 preempt
  interface TenGigabitEthernet9/1.11
  description ****   ****
  encapsulation dot1Q 311
  ip vrf forwarding VRF11
  ip address 10.2.11.2 255.255.255.252
  ip ospf network point-to-point
  interface TenGigabitEthernet9/1.12
  description ****   ****
  encapsulation dot1Q 312
  ip vrf forwarding VRF12
  ip address 10.2.12.2 255.255.255.252
  ip ospf network point-to-point
  configuration in Distribution switch:
  interface TenGigabitEthernet9/1.11
  description ****  ****
  encapsulation dot1Q 311
  ip vrf forwarding VRF11
  ip address 10.2.11.1 255.255.255.252
  no ip route-cache
  ip ospf network point-to-point
  interface TenGigabitEthernet9/1.37
  description ********
  encapsulation dot1Q 337
  ip vrf forwarding VRF37
  ip address 10.2.37.1 255.255.255.252
  no ip route-cache
  ip ospf network point-to-point
  i  have seggregated  n/w like this. i am using inline vlan  pair , to pass all the traffic through the IDSM module ,
  i am using the monitoring port gi0/8
  config in core switch
  intrusion-detection module 8 data-port 2 trunk allowed-vlan 211-260,311-360
  IDSM
  physical-interfaces GigabitEthernet0/8
  subinterface-type inline-vlan-pair
  subinterface 11
  description
  vlan1 211
  vlan2 311
  exit
  subinterface 37
  description
  vlan1 237
  vlan2 337
  exit
  Problem i am facing is , some of the vlan-pair traffic passing through the IDSM some of the traffic are not passing , here i have given the statistics
  MAC statistics from interface GigabitEthernet0/8
     Statistics From Subinterface 11
        Statistics From Vlan 211
           Total Packets Received On This Vlan = 0
           Total Bytes Received On This Vlan = 0
           Total Packets Transmitted On This Vlan = 0
           Total Bytes Transmitted On This Vlan = 0
        Statistics From Vlan 311
           Total Packets Received On This Vlan = 0
           Total Bytes Received On This Vlan = 0
           Total Packets Transmitted On This Vlan = 0
           Total Bytes Transmitted On This Vlan = 0
  Statistics From Subinterface 37
        Statistics From Vlan 237
           Total Packets Received On This Vlan = 3189658726
           Total Bytes Received On This Vlan = 64165872092928
           Total Packets Transmitted On This Vlan = 3549575166
           Total Bytes Transmitted On This Vlan = 64165872092928
        Statistics From Vlan 337
           Total Packets Received On This Vlan = 3549575166
           Total Bytes Received On This Vlan = 64165872092928
           Total Packets Transmitted On This Vlan = 3189658726
           Total Bytes Transmitted On This Vlan = 64165872092928
     Statistics From Subinterface 38
        Statistics From Vlan 238
           Total Packets Received On This Vlan = 2215151150
           Total Bytes Received On This Vlan = 64165872092928
           Total Packets Transmitted On This Vlan = 126546964
           Total Bytes Transmitted On This Vlan = 64165866995200
        Statistics From Vlan 338
           Total Packets Received On This Vlan = 126546964
           Total Bytes Received On This Vlan = 64165866995200
           Total Packets Transmitted On This Vlan = 2215151150
           Total Bytes Transmitted On This Vlan = 64165872092928
  Give me idea experts , so that i can resolve this issue.
  Help me thanks in advance

  I believe the issue is because of the config below:
  interface GigabitEthernet1/2.11
  description **** ****
  encapsulation dot1Q 211
  ip vrf forwarding VRF11
  ip address 10.2.11.73 255.255.255.248
  ip ospf network point-to-point
  standby 1 ip 10.2.11.75
  standby 1 priority 110
  standby 1 preempt
  encapsulation dot1Q 311
  ip vrf forwarding VRF11
  ip address 10.2.11.2 255.255.255.252
  ip ospf network point-to-point
  interface TenGigabitEthernet9/1.12
  description ****   ****
  encapsulation dot1Q 312
  ip vrf forwarding VRF12
  ip address 10.2.12.2 255.255.255.252
  ip ospf network point-to-point
  As you can see we have 2 ip subnets in the VRF 11 .73 &  .2 in vlan 211 & 311 respectively.
  The switch is doing intervlan routing directly without having to go through the IDSM for VRF 11.
  What we need to remember is IDSM does not do routing, and it can only bridge vlans.
  Hence we have to force to packet to go through the IDSM.
  Here is what we do when we use IDSM to see traffic going between vlans.:
  Normally, with vlans, and IDSM inline mode, we have one IP subnet and 2 Vlans.
  IDSM2 in inline mode necessitates an additional artificial Vlan on the  SAME subnet as the Vlan you wish to sense.
  A layer 3 switch  interface  needs to be configured within this additional artificial Vlan.
  In a nutshell, we need to create 2 Vlans that share one same ip subnet and put SVI on only one of the Vlans.
  In your case you will need one ip between vlans 211 & 311 in VRF 11 to force the data to go through the IDSM.
  I can understand if this is a bit tricky to understand.
  Please go through my design document for IDSM inline mode, which explains the basic concepts and packet walk in detail.
  It will explain why we need the above and how arp makes the mac-address table populate correct entries, (with one ip subnet for 2 vlans) so that traffic goes through the IDSM.
  https://supportforums.cisco.com/docs/DOC-12206
  - Sid

• AAA Authentication for Traffic Passing through ASA

  I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
  Am I missing something?
  firewall# show run aaa
  aaa authentication http console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication match guestnetwork_access guestnetwork RADIUS
  aaa authentication secure-http-client
  firewall# show access-li guestnetwork_access
  access-list guestnetwork_access; 2 elements
  access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
  access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
  firewall# show run aaa-s
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.250.14
  key xxxxx
  firewall# show run http
  http server enable

  your definition for the aaa-server is different to the aaa authentication server-group
  try
  aaa authentication http console RADIUS LOCAL
  aaa authentication telnet console RADIUS LOCAL

• Does IPv6 traffic "pass-through" or "drop" by cisco waas?

  Since cisco waas is not yet supported IPv6, if i am running IPv4 and IPv6 dual stack mode on the same circuit, does IPv6 traffic get dropped by the waas or does waas put IPv6 traffic in "pass-through" mode and let it goes?  I am thinking, waas will treat IPv6 as non-IP traffic and will let it goes.  Am i right?
   

  Hi Joe and Kanwai,
  One note though - if your running WCCP as the redirection mode, you won't get the IPv6 traffic redirected, as WCCP does NOT support IPv6. Hence you won't see IPv6 traffic at all on the WAAS device.
  Best Regards
  Finn Poulsen

• High delay when traffic passes through the tunnel

  Hello,
  i have a dmvpn topology, .
  When i try to ping the real ip on the hub's outside interface from the spoke, the delay is approximately 100ms, but when i ping the tunnel ip address the delay becomes 4000ms.
  Your help is really appreciated

  Can you post the configuration?
  Did you set the MTU of the tunnel interface correctly?
  Also check the switching (CEF/Process Switching) configuration.
  Regards
  Farrukh

• Server 2012 Built-In IPSec VPN & RAS & HyperV-Switch & Netgear Pro Safe Router, Tunnel Ok, but no Traffic

  Hello,
  i try to setup a IPSEC VPN (Site-by-Site or if not possible Client-BySite) between a Netgear Pro Safe Router and Windows Server 2012.
  The Problem: Tunnel is up and running, but no Ping, no traffic at all.
  the Server 2012 uses HyperV and has one hardware-NIC with public ip, lets say 123.123.123.1.
  if no site-by-site is possible in my situation with built-in-tools this server would be only a client-site which would "dial-up" to the netgear box.
  the server has a second virtual NIC with IP 192.168.137.1. Routing and RAS is enabled, because there are two virtual other servers whichs has 192.168.137.2 and 192.168.137.3.
  The Netgear-ProSafe has public ip 122.122.122.1 and LAN-Subnet 192.168.21.0/24.
  I created the Tunnel in the Advanced-Firewall-Options-Window. Both, Windows and the Router, say, the VPN-Tunnel is okay. Also, i can see ESP-Packets with wireshark.
  If i ping (from router to server and other direction) i get no response. Some people said, the RAS itselfe could not accept packages, but i tried from one of the virtual clients also (192.168.137.2) and no ping there also.
  i tried to add a route for subnet 192.168.21.0 with 192.168.137.1 as gateway but that didn't helped also.
  now, after all this time i spend today to this problem i'm a bit confused.
  as i know vpn-connections there are always virtual devices, and routes for the vpn-subnets assigned to this device.
  the windows firewall does not create any device, and it does not create any route - i suppose, this is because "routing and ras or windows firewall-service" does this work "internally". is that correct? do i need any routes?
  i was wondering why the ICMP packet from my ping in wireshark had the public ip as source (123.123.123.1) and not the "internal" 192.168.137.1 - and i tried to restrict the vpn-rule only for the virtual internal NIC but this isn't possible, as
  it is no option inside the gui.
  it would be great if somebody could explain me how config and packages SHOULD look....i've never used the built-in vpn/ipsec/ras services before, so i don't know how things has to be for a correct working environment. also, i need a solution and any help
  to solve the problem would be great also!
  now i try to sleep one night - maybe i get some nice idea after some hours of sleeping. good night.
  Addition: After some more tests i find out that if i change the local endpoint (endpoint 1) from the virtual network (192.168.137.0/24) to the public ip of the server (123.123.123.1) inside the tunnel-rule and inside the vpn-policy of the router i can access
  the netgear and other devices in the remote-network 192.168.21.0 over this ip-adresses. ping is not working, but other things seems to work fine. i want to be able to ping as well ofcourse and this wired configuration looks wrong to me...can some network-professional
  help out with an explanation?
  Second Addition: I can set the Local Endpoint also to "any" and it does work - but ping still does not work :-(
  Third Addition: The Ping does work if i disable the NAT-Functionality on the Physical NIC. ....mhm.....

  I would definitly recommend the usage of a virtual router instead using windows onboard-firewall to make the site-to-site tunnel!
  as you can see in my linked thread above (Link)
  this scenario is not supported from microsoft! you will run into problems!
  we do run a hyperv virtual machine and install the wonderful distribution pfsense inside this box. pfsense is a software-linux-router with ipsec-functionality, which works like a charm!
  and by the way i recommend to not use the products of netgear! they are expensive, very slow and the service is not good!
  we have good experience with Vigor-Routers! They are less expensive, the Service is very good, and the devices are much faster, AND! ...the vpn-connections stay stable up!
  this experience was very time-intensive to make! hope this will help someone else in the future.

• I apologize if this is a repeat -- I can't find if my question has been posted, but all traffic received through SAFARI (but not FIREFOX) quoting prices has the latter in EUROS, not US Dollars. Figures in my outgoing Email appear to the recepient in Dolla

  I apologize if this is a repeat, but I can't tell if my question has been posted.
  For the past several weeks, all incoming traffic via Safari 5.0.5, but not Firefox,containing cost/price figures appear in Euros, not US Dollars. My responses, however, are received correctly in US Dollars. Wierd, and irritating.  Any ideas?

  To answer the post title FireFox save all downloads automatically in the download folder, which you can find in the Documents folder. If you want to choose where to save your downloads go to tools>options>check always ask me where to save files.
  Secondly, I am assuming you have IE 8 installed as this is the only version that supports this fix that is currently not in beta. Go to control panel>internet options>advanced tab and reset the settings at the bottom. This may or may not fix the problem but it is a good first step.

• CUCM ISUP-OLI / ANI II pass-through

  Hi, I've a Cisco UBE that receive a SIP calls from a remote provider. This provider send ANI-II Digits into a From header like:
  Received: 
  INVITE sip:[email protected]:5060 SIP/2.0
  From: <sip:[email protected]:5060>;isup-oli=00;tag=SDs1ts901-10.50.83.40+1+161e1d+61e8c298
  but when CUBE pass-through this call it strip ANI II Digits 
  Sent: 
  INVITE sip:[email protected]:5060 SIP/2.0
  From: <sip:[email protected]>;tag=850A3664-1051
  Is there any way to avoid this? I need to pass-through ISUP-OLI on From header.

  I found this document that describe what I need.
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube/configuration/cube-book/pass-unsupported.html

• Sip passing through nat but rtp is not - no audio

  Sip passing through nat but rtp is not
  I'm looking at traffic leaving my router with a sniffer. I see SIP traffic but I do not see RTP traffic.  The phones ring on both sides but I do not get any audio.
  interface f0/0.100
  ip address 192.168.10.1 255.255.255.0
  ip nat outside
  ip nat pool VoIP 192.168.10.1  192.168.10.1 prefix-length 24
  ip nat inside source route-map VoIP pool VoIP overload
  ip nat inside source static tcp 10.1.1.2 49201 192.168.10.54 49201 extendable
  access-list 1 permit ip host 10.1.1.2 any
  route-map VoIP permit 10
  match ip address 1
  match interface  f0/0.100
  set interface  f0/0.100

  Hello,
  You can enable "ip nat service sip" or "ip nat service h323" and "ip nat
  service h225" commands. As per the documentation, they are enabled by
  default. In the latest IOS there is a new feature added to Cisco IOS that
  ensures that even RTP packets get translated to one of the allowed ports as
  specified by the RFC. The command to enable the feature is "ip nat service
  allow-sip-even-rtp-ports"
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6640/pro
  d_white_paper0900aecd80597bc7.html
  Hope this helps.
  Regards,
  NT

• MIAW WindowType - preventing pass-through clicks, but non-modal?

  Other than the 10 types listed in the Help files, does anyone
  know about any
  other window types? What I'm specifically looking for is like
  a tool
  palette - which floats over the stage, but if you click on
  it, the clicks do
  not pass through the MIAW to the stage below it. So far, the
  only way I
  know to do that is to make it a modal dialog box, which is
  NOT what I want,
  because I want to still be able to click on things on the
  stage, just not if
  they're directly behind the tool palette.
  Alternatively, is there a way to make sure all mouse-clicks
  within a MIAW do
  NOT pass through to the stage behind it? I'm using type 4,
  "Movable window
  without size box or zoom box", which seems to be the closest
  one to what I
  want, but I need to stop those pass-through clicks from
  messing up the
  stage...

  "Darrel Hoffman" <[email protected]> wrote in message
  news:[email protected]...
  > The point of checking for MouseDown inside a MouseWithin
  handler is
  > that you can click and "paint" tiles over any number of
  sprites,
  > without having to release the mouse button and click
  each sprite
  > individually. If I put everything into MouseUp/MouseDown
  handlers,
  > then you'd have to click each sprite one by one in order
  to change
  > the tiles, which is incredibly tedious compared the
  smooth
  > click-and-drag method I'm using.
  >
  > As I've said, checking to see if the mouse is within the
  rect of the
  > MIAW *does* prevent clickthroughs. In other words, I do
  have a
  > working solution to my problem. I just still think it's
  far more
  > code than should be necessary to do what should by all
  rights happen
  > by default, especially since I have to incorporate this
  same code
  > into several different mouse events in a bunch of
  different
  > behaviors. (It will be even worse if I at some point
  decide to have
  > more than one tool palette MIAW up at the same time for
  some reason,
  > since I'd have to check for each of them, and then check
  *within*
  > each of them as well in case they overlap eachother...)
  >
  > We kind of got sidetracked with the whole idea of a
  moving sprite
  > underneath the MIAW to catch stray mouse events - a
  technique which
  > doesn't work 100% because moving the MIAW causes a stray
  mouse-click
  > when you release it.
  >
  > I just wish there were some default setting for MIAW's
  which
  > prevented clickthroughs automatically. It's pretty much
  an
  > aesthetic thing now, since I have a working solution,
  but I don't
  > like ugly code (even if nobody but me will ever see it),
  and I wish
  > there was a better way to do it. Just seems like it
  should be the
  > default behavior. Think of any other program you've
  seen. Indeed,
  > since we all know Director, think of that. Say you've
  got the Score
  > window and the Cast window and the Script window and
  > who-knows-what-else all open at once, and they're all
  overlapping on
  > your screen. When you click on one, only the one on top
  responds.
  > This is what you expect when you click on something in
  any program.
  > You'd run into all kinds of problems if the ones
  underneath also
  > responded to your clicks (or any other mouse events for
  that
  > matter). This is basically the same thing I'm trying to
  do with my
  > little tool palette, but it seems you have to write a
  whole bunch of
  > scripts just to make that happen? That just doesn't seem
  right to
  > me.
  >
  > Anyhow, thanks for your suggestions everyone. And if
  anyone knows a
  > way to make MIAW's do this automatically, please let me
  know.
  Darrel,
  out of all the possible ways to do what you want, you have
  probably
  picked the worse.
  Now you run into trouble, of course.
  First:
  Read up on the way events are processed in Director, and
  passed or not
  passed from object to object.
  Second:
  Did you actually READ what I wrote? You just keep repeating
  the same
  things that dont make sense...
  The mouseDown event is not the problem, the problem is that
  you check
  for a mouseDown STATE, not handle a mouseDown EVENT.
  You can change your code easily to provide for this and have
  the same
  result.
  Third:
  When mouseClicks are somehow not intercepted in the MIAW,
  then handle
  them yourself in the MIAW.
  I agree with Mike that it is your approach to the problem
  that creates
  this complexity.
  If you stick to handling events in the way Director gives
  them to you,
  you will not have those strange things.
  good luck,
  Richad.

• Cisco ASA - Pass Through QoS Traffic

  Hi Sirs,
  Given the following topology:
       Switch - IP Phone (Branch) |----| Router |----| MPLS |----| Router |----| ASA |----| Switch - Voice Network (Head Office)
  My question, the ASA can impact the QoS traffic to pass through it?
  Thank you!
  Rafael Trujilho

  Hi Andrew,
  I want the ASA does NOT take any markings, NOT impacting the quality applied to voice traffic.
  Regards,
  Trujilho

• How does client certificate get passed through TMG/ISA to destination server (eg. SCCM)?

  To avoid the 403.7 errors when the destination server requires certificate authentication, how does SSL bridging reverse proxy inspect the traffic for safety without breaking the certificate authentication?
  I'm not asking for specific configuration steps on this.  I just want an easy to understand overview on the process of how the laptop or smartphone authentication device certificate would pass through while TMG/ISA is still protecting the destination
  from attacks. 

  I'm not sure if SSL Bridging is the same with Cert Authentication,...but...
  The way it works when Bridging SSL for published SSL web sites is by the ISA having a copy of the same Cert used on the published site.  You buy the cert for the Site and install it on the web server and get it set up with the site,..then export it
  with the private key.  Take the exported Cert and install it on the TMG and configure it into the Web Publishing Rule.
  The SSL tunnel coming in terminates at the TMG,...meaning the SSL Tunnel was only between the user and the TMG (not between the user and the site as it would appear on the surface). Then the traffic is inspected or whatever would be intended to do with it.
  Then a new distinct independent SSL Tunnel is created between the TMG and the SSL Site and the traffic is passed on to the site at that point.  AFAIK, the Reverse Proxy only happens between the two tunnels while the traffic is unencrypted.

• IPSec Pass Through on ASA

  I have a third party firewall behind a Cisco ASA. The Cisco ASA is doing PAT as there are no other IP addresses available. The third party firewall is attempting to build an IPSec tunnel to another firewall. The IPSec tunnel is not coming up. When I do a capture on the Cisco ASA firewall I see traffic hit the inside interface and leave the outside interface. I then see the reply traffic return and hit the outside interface of my Cisco ASA but it is not being allowed to pass through to the inside interface.I have enabled NAT-T on the thrid party firewall but it still does not get the reply traffic becuase it gets stopped at the Cisco ASA.
  Any thoughts?

  Is your third party FW attached directly to your ASA? If not, do you have a route to that device on your ASA?
  Please perform a packet-tracer to see why the return traffic is not reaching the third party FW..
  packet-tracer input outside udp 500 500 detail
  If the packet-tracer shows traffic going through successfully, perhaps it is your third party FW that is blocking the traffic?
  Please reply with packet-tracer results.
  Kind Regards,
  Kevin
  **Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.