[cciesec2006]

Here is a summary of my test:

1- I have Provider-1 GUI R65 with HFA_01 and SmartConsole R65 with
HFA_01 on my laptop. I also have P-1 GUI R55 and SmartConsole R55
on my laptop as well.

2-I specify "Any" GUI clients in the Provider-1, as confirmed in the $MDSDIR/conf/mdsdb/cp-gui-clients.C file:
:domain ()
:gui_client_type (any)
:ipaddr ()
:ipaddr2 ()
:mds_client (true)
:netmask ()
:value (any)
)

3- My laptop sit behind a Cisco Pix 8.0(3) firewall with:
nat (inside) 1 0 0
global (outside) 1 interface
access-list test permit ip any any log
access-group test in interface outside

In other words, the Pix will "hide" NAT ALL outbound traffics

4- The P-1 R65 box has a private address of 192.168.1.1 and it is
NAT'ed to 4.2.2.2 on the Cisco IOS router. There is a CMA
with an IP address of 192.168.1.10 and it is NAT'ed to
4.2.2.3 by the cisco router as well.

From my laptop, I can connect to 4.2.2.3 with Smart Dashboard/Tracker.
From my laptop, I can NOT connect to 4.2.2.2 with Provider-1 GUI,
From my laptop, I can NOT connect to 4.2.2.2 via the command line
"cplauncher 9" as suggested by Ray. I always get "Failed to launch
application".

I replaced the P-1 R65 box with P-1 R55 box and I CAN connect
to 4.2.2.2 with the P-1 R55 GUI and 4.2.2.3 with Smart Dashboard/Tracker
R55 GUI

This is definitely different when Ray tested the connection with me. I could
see him connect to my Provider-1 R65 with the P-1 GUI.

This is really weird. tcpdump showed everything is normal and that
the P-1 box is seeing traffics coming from the Pix's external interface,
hide NAT. Everything being equal, it tells me that Provider-1 NGx R65
GUI has issues, I think