cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
885
Views
0
Helpful
4
Replies

NAC 4.9 CAS inband with ASA running 8.6

Steve Bellan
Level 1
Level 1

We have a workng NAC 4.9.0 environment. When looking through the documentaiton areas I only see setup info for VPN concentrator and NAC in band. Are there setup examples with an ASA runnign newer code (8.6).

The second piece is that I have some confusion as to the CAS setup. If it is in-band should it be done as a Real-IP gateway? Or can i get away with L2 in-band? We come off of the ASA inside interface to the trusted side of the CAS. The untrusted side of the CAS goes to the LAN. The CAM is 4 routed hops away.

4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

Steve,

Here is a configuration guide for the ASA to CAS, its not the latest and greatest but this should work:

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

When referrring to L2 and L3 adjacent this is different with respect to VGW and RIP.

L2 and L3 refers to how the clients are positioned with respect to the CAS (not the CAM), are they being routed to the CAS untrusted interface or are they available on a vlan that the CAS can be a part of.

VGW and RIP refers to the operation of the CAS, this is similar to the operation of the ASA, when it comes to transparent vs routed mode (you can use both the on same CAS), VGW bridges the two networks together, and RIP routes the traffic around and requires static routing since the CAS does not support dynamic routing protocols.

You can use VGW by setting the group policy to route all tunneled traffic to an ip that is present on the trusted side of the CAS, also you can use the vlan attribute in the group-policy configuration to assign the remote users to a vlan which forces their traffic to flow through the CAS.

http://cisconac.blogspot.com/2007/07/vpn-deployments-with-asa-80.html

Thanks,

Tarik Admani

*Please rate helpful posts*

Hey Tarik,

I found another document that talks of putting  it in as L3 in-band RIP. The one you sent is L2 In band with one IP address on both trusted and untrusted. If they are both in band what is the advantage of one over the other?

See:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_vpncon.html

You can only use inband with VPN deployments, since the manager can send any snmp communication the ASA to change the vpn endpoint current status, it can not terminate the user's connection or push them to a different grou policy.

So when it comes down to RIP, or VGW that is how the CAS acts in that scenarion (routed or bridged mode), and L3 vs L2 means that the clients are either in the same broadcast domain from the untrusted interface or if they are a hop away from the untrusted interface of the CAS.

Hope that helps.

Tarik Admani
*Please rate helpful posts*

We have 4 unique users roles and a NAC Guest server. It looks like I am stuck with L3 inband

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: