Yikes! Not really sure about the answer here but I am hoping to be able to talk you out of Lock and Key. Any chance you can use a feature we call Auth-Proxy instead? This was developed to replace Lock and Key. To be honest, we have done little or no development on Lock and Key in a long time and you will also have a hard time finding many TAC engineers that remember this feature ;)
Take a look at the following sample config for some info on Auth-Proxy and NAT combined:
The sample deployments of auth proxy I've looked at all seem to require a separate tacacs+ or radius server, and a lot of statements. All I'm looking for is a single authenticated (local) login that would allow external access with windows terminal services (3389) to a single server.
The lock & key dynamic access list concept allowed that to happen with 3 statements with a local username.
OK. You do not *need* a AAA server to do Auth-Proxy but I can't imagine this feature scaling very well without one. However, I guess I cannot argue with the ease of configuration. So, back to the orginal question. Can you elaborate a bit more on exactly what is not working with respect to Lock and Key and NAT? What are you NAT'ing? Perhaps a sanitized config will help a little...
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...