Network Address Translation (NAT)
|Issue||How to configure firewall's dynamic network address translation on multiple internal clients to an external RSA ACE/Server|
Error: "Node verification failed" in ACE/Server logs
Initial authentication with an internal client is successful and "securid" file is sent to the client, but later attempts from other internal NAT'd clients fail with error "node verification failed"
|Cause||Using NAT with an internal client and external ACE/Server requires that the client be defined with the internal Primary IP address as the Primary IP, and the Hiding IP Address defined as a secondary node on the ACE/Server's client definition. However, the Use of "Dynamic address translation" will not work for more than one internal client because the ACE/Server will not allow two secondary nodes with the same IP address.|
|Resolution||Configure the firewall to use static network address translation for the internal clients. This means that each internal, invalid Internet IP address will translate to a different static valid IP address by the firewall. Now multiple clients can be configured each with a secondary node of their corresponding valid IP address.|
|Legacy Article ID||6.0.3261685.2908345|