Solved: ISE Deployment through NAT Boundaries

GQ · ‎06-13-2019

Refer to the attached drawing. Wondering about ISE through NAT boundaries in a mergers and acquisitions scenario where there is overlapping IP space. Seems like it would work fine provided there is bidirectional NAT. The only thing I can't imagine won't work is the NMAP probe across the NAT boundary because the clients couldn't be one for one NATted... or so I believe to be the case.

When ISE learns the endpoints MAC addresses and has overlapping IP addresses across multiple clients, does it care? MAC is the identifer we are concerned with after-all.

Anyone have experience with this type of setup or can think of any pitfalls I'm not thinking of?

hslai · ‎06-13-2019

Our teams have not vetted NAT in general. Please ensure to list out all different use cases and test them thoroughly.

As you already indicated that ISE profiling could be problematic. CoA is another known issue. For latter, you might want to read the info on ISE Load Balancing and infer from there.

View solution in original post

hslai · ‎06-13-2019

Our teams have not vetted NAT in general. Please ensure to list out all different use cases and test them thoroughly.

As you already indicated that ISE profiling could be problematic. CoA is another known issue. For latter, you might want to read the info on ISE Load Balancing and infer from there.

GQ · ‎06-19-2019

To solve this challenge would it be possible to put another ISE node(s) into the acquired company to service that side of the boundary and have it be part of the same deployment? There would be no NAT needed, however there is possiblilty for client IP overlap (the MAC addresses would still be unique). Would this cause any problems for ISE? To have unique endpoint MAC addresses but potentially duplicate IP addresses in that client traffic? Drew up another diagram and attached.