000018284 - How to configure firewall's dynamic network address translation on multiple internal clients to an external RSA ACE/Server

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018284
Applies ToFirewall
RSA ACE/Agent
RSA ACE/Server
Network Address Translation (NAT)
IssueHow to configure firewall's dynamic network address translation on multiple internal clients to an external RSA ACE/Server
Error: "Node verification failed" in ACE/Server logs
Initial authentication with an internal client is successful and "securid" file is sent to the client, but later attempts from other internal NAT'd clients fail with error "node verification failed"
CauseUsing NAT with an internal client and external ACE/Server requires that the client be defined with the internal Primary IP address as the Primary IP, and the Hiding IP Address defined as a secondary node on the ACE/Server's client definition. However, the Use of "Dynamic address translation" will not work for more than one internal client because the ACE/Server will not allow two secondary nodes with the same IP address.
ResolutionConfigure the firewall to use static network address translation for the internal clients. This means that each internal, invalid Internet IP address will translate to a different static valid IP address by the firewall. Now multiple clients can be configured each with a secondary node of their corresponding valid IP address.
Legacy Article ID6.0.3261685.2908345

Attachments

    Outcomes