Replicating ACS Database From Primary to Secondary Over NAT
Does any knows that it is possible to replicate the ACS database when the primary and the secondary ACS servers are residing in two different DMZs. All traffic leaving the DMZ must be natted. I am receiving an error of "key mismatch" on the secondary server denying the authentication from the primary server when I know that the shared secret key is the same on both servers. Would this "key mismatch" be related to the nature of NAT? Please advise....
Re: Replicating ACS Database From Primary to Secondary Over NAT
Yes, you cannot do replication between two ACS servers that are using NATted IP addresses. The secret key plus the AAA server IP address is the authentcation function, so if the AAA server IP is different, the authentication will fail. Using NAT for replication is not yet supported and will not work.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...