I am just posting a quick question (I hope), I am trying to get authentication working for VPN clients. The problem is the authentication server (RSA) is located on the outside interface over a L2L tunnel.
So here's the question: The crypto access-list and Nat statement would this be the exiting interface of the outside interface to the authentication server or the VPN pool?
So the configuration below, just for an example:
object-group VPN_pool = 192.168.1.0/24
object-group RSA_server = 10.10.10.1
object-group ASA_outside = 126.96.36.199
So would the configuration be:
access-list Outside_cryptomap extended permit ip object-group ASA_outside object-group RSA_server
There is no need to NAT traffic from the box. You just need to take care of routing (RSA_server route needs to poitn out through outside interface) and change crypto ACL (the was you have it should be just fine.
Please be aware of a caveat of setup like this, it is very likely that initial authentication requests might be dropped (while a separete IPsec SA is established from ASA to RSA server).... setting up a SLA to ping RSA server on the ASA will alleviate this( and you are already using "ip" in your traffic selectors.
When I you configure the RSA server using the GUI there is an option to select the interface - I thought this meant the interface you need to use to get to the RSA server, but I changed it to be the inside interface and it worked, so I'm guessing that it means use this interface as the source address for the request
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...