Hi Team,
I have multiple tenants (government agencies) that are managed by a single FMC (and multiple FTD instances per tenant). Each tenant has overlapping addressing and NAT is used heavily to present FMC with unique address space as well as for routing their traffic up to a shared Internet Gateway.
There is a requirement to use identity-based AC policy rules in FMC/FTD.
What is the best way to provide user/IP mappings via ISE-PIC??
Can a single ISE-PIC support AD Forest/Domain connections to multiple tenants??
How would ISE-PIC present the IP mappings?? (ie would it be the original un-NAT'd IP??). If so, how does FMC interpret the potentially overlapping user/IP mappings from ISE-PIC if mapped to a single realm thats mapped to a single identity policy to a single AC policy??
Thanks and kind regards,
Dave.