https://community.cisco.com/t5/network-security/nac-questions/m-p/1274223#M812967 <HTML><HEAD></HEAD><BODY><P>Dear Faisal,</P><P></P><P>The natting is a must as both the interfaces are of different security levels with inside and WAN as 100 and 70 respectively.</P><P></P><P>But why i am asking is because the nat command is not changing the ip address in my case as the translated ip is the same as the original ip.</P><P></P><P>static (inside,WAN) 10.0.0.1 10.0.0.1</P><P></P><P>but i have read the Doc as it talks about translated and original ip in general and there is no general details.</P></BODY></HTML> Wed, 21 Oct 2009 14:30:46 GMT talha_490 2009-10-21T14:30:46Z https://community.cisco.com/t5/network-security/nac-questions/m-p/1274219#M812955 <P>We have 2 CAS should be configured with HA are located in the WAN Zone of the FWSM. there is a static NAT means</P><P></P><P>static (inside,WAN) 10.0.0.1 10.0.0.1 netmask 255.255.255.255</P><P></P><P>where 10.0.0.1 is the ip of CAM and the cas has 20.0.0.1.</P><P></P><P>I have read that if the CAS and CAM sare across the firewall then CAM will not add CAS as HA unit. The above natting is above.</P> Fri, 21 Feb 2020 11:44:51 GMT https://community.cisco.com/t5/network-security/nac-questions/m-p/1274219#M812955 talha_490 2020-02-21T11:44:51Z https://community.cisco.com/t5/network-security/nac-questions/m-p/1274220#M812960 <HTML><HEAD></HEAD><BODY><P>Talha,</P><P></P><P>That is correct. HA with NAT'd CASs isn't supported.</P><P></P><P>HTH,</P><P>Faisal</P></BODY></HTML> Wed, 21 Oct 2009 13:27:54 GMT https://community.cisco.com/t5/network-security/nac-questions/m-p/1274220#M812960 Faisal Sehbai 2009-10-21T13:27:54Z https://community.cisco.com/t5/network-security/nac-questions/m-p/1274221#M812963 <HTML><HEAD></HEAD><BODY><P>Thanks Faisal,</P><P></P><P>So should i conclude that in my scenario it is not possible for me to configure CAS in HA.</P></BODY></HTML> Wed, 21 Oct 2009 14:23:02 GMT https://community.cisco.com/t5/network-security/nac-questions/m-p/1274221#M812963 talha_490 2009-10-21T14:23:02Z https://community.cisco.com/t5/network-security/nac-questions/m-p/1274222#M812965 <HTML><HEAD></HEAD><BODY><P>If there's NAT in the picture, then yes, this won't work. If you can somehow remove the NAT and route between the CAS and CAM, then it should be fine.</P><P></P><P>[Edit] I just looked at the NAT closely and apologize for giving you the wrong information. The only scenario when NAT breaks things is when the IP addresses are different when you're NAT'ing (e.g. 10.x being nat'ed to 192.168.x when reaching the CAM etc)</P><P></P><P>In this scenario where the NAT and the actual IP are the same it should work. You'll just have to ensure that the required traffic flow is open between the devices.</P><P></P><P>HTH,</P><P>Faisal</P></BODY></HTML> Wed, 21 Oct 2009 14:26:08 GMT https://community.cisco.com/t5/network-security/nac-questions/m-p/1274222#M812965 Faisal Sehbai 2009-10-21T14:26:08Z https://community.cisco.com/t5/network-security/nac-questions/m-p/1274223#M812967 <HTML><HEAD></HEAD><BODY><P>Dear Faisal,</P><P></P><P>The natting is a must as both the interfaces are of different security levels with inside and WAN as 100 and 70 respectively.</P><P></P><P>But why i am asking is because the nat command is not changing the ip address in my case as the translated ip is the same as the original ip.</P><P></P><P>static (inside,WAN) 10.0.0.1 10.0.0.1</P><P></P><P>but i have read the Doc as it talks about translated and original ip in general and there is no general details.</P></BODY></HTML> Wed, 21 Oct 2009 14:30:46 GMT https://community.cisco.com/t5/network-security/nac-questions/m-p/1274223#M812967 talha_490 2009-10-21T14:30:46Z