02-20-2009 10:39 AM - edited 02-21-2020 03:18 AM
We terminate vpn users on an ASA. That is working. The problem is running the remote users through the NAC appliance while not checking other traffic. We have tried restricting all vpn users to a vlan to layer 3 with PBR. None of these options seem to work. What is the best way to run remote users through NAC before allowing access to the network??? Layer 3, Layer 2, InBand, Out of Band, or ???
Thanks.
02-20-2009 11:42 AM
The recommended way to run your VPN users through the NAC appliance(s) is to implement the L3 InBand deployment.
cheers,
-mc
02-20-2009 12:02 PM
Will this work having the remote users restricted to one vlan on the ASA separate from my inside interface? Or will all traffic have to pass through the nac and exempt everything but the vpn traffic?
02-20-2009 02:24 PM
yes and yes
As you're only inserting the NAC appliance into the existing traffic flow.
The traffic you want to interrogate can be specified via your manage subnets list as well.
if your vpn is not setup yet, you should get it up and working through that dedicated interface and then insert the NAC appliance.
02-20-2009 06:29 PM
if your NAC appliance is more than 1 hop away from your vpn appliance, you can policy route the VPN ip pool through the NAC servers. all other traffic will be routed normally, w/o going through NAC.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: