Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1683
Views
10
Helpful
10
Replies

NAC for LAN and Remote VPN Sites

mali
Level 1
Level 1

‎12-24-2007 10:48 PM - edited ‎02-21-2020 03:27 PM

I have network with inside LAN users and Remote Sites users connected through Site to Site VPN with ASA.

I want to implemet the NAC so that I can Authenticate, Check and Authorize the Inside LAN users as well as the Remote Sites users (which connected through site to site VPN). Is this requirements is applicable or not? If yes, what is the best implementation design?

Labels:
Preview file
75 KB
0 Helpful
10 Replies 10

gojericho0
Level 1
Level 1

‎12-26-2007 06:06 AM

You will be able to authenticate and authorize both Inside LAN users and VPN users, but you will need a seperate CAS on each network to accomplish this. Below is a link with regards to VPN usage.

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

You also have a number of options for users on the LAN side. You can get away with one CAS for that, but they will need to be placed in L2/L3 mode. In our implementation we are using an OOB Real IP-gateway setup for our LAN users. Out-of-Band allows scalability to support multiple sites because the users are only passing through the CAS during authentication and posture assessment. Once this is complete they are placed on an access VLAN that does not force traffic to the CAS.

pstuder
Level 1
Level 1
In response to gojericho0

‎01-07-2008 06:50 AM

So you are saying that you CANNOT use a single NAS (in L2/L3 In-Band Real-IP G/W mode) to manage/monitor an inside network and a VPN? In other words, VPN implementation always requires a dedicated NAS? I am in the process of working on a NAC implementation that needs to do just that ...

Any guidance is appreciated!

0 Helpful

pmccubbin
Level 5
Level 5
In response to pstuder

‎01-07-2008 07:12 AM

Hi David,

That's correct. To implement NAC on an inside network and a VPN requires two NAS boxes. The NAS for the VPN must be in-band. The NAS for the inside network can be in-band or out-of-band.

Hope this helps.

Paul

0 Helpful

pstuder
Level 1
Level 1
In response to pmccubbin

‎01-07-2008 07:13 AM

It helps a lot! Thank you very much!

0 Helpful

mali
Level 1
Level 1
In response to pmccubbin

‎01-07-2008 10:31 PM

Hi PAUL,

Thanks for your support and explanation.

Do you have any design or configuration documentation for the IB mode implementation with Site-to-Site VPN terminated on ASA.

0 Helpful

pmccubbin
Level 5
Level 5
In response to mali

‎01-08-2008 04:01 AM

These are the resources I consult for all design and implementation questions:

These are the Web Sites and Blogs:

a. http://cisconac.blogspot.com/

b. http://www.networkworld.com/community/heary

c. http://blog.tenablesecurity.com/

d. http://blogs.cisco.com/security

e. http://6200networks.com/

f.http://www.demolabs.co.uk/cisconac_demo.html

This is an excellent reference book:

Cisco NAC Appliance: Enforcing Host Security with Clean Access by Jamey Heary, Jerry Lin, Chad Sullivan, Alok Agrawal. (2007)

Hope this helps.

Best,

Paul

0 Helpful

pstuder
Level 1
Level 1
In response to pmccubbin

‎01-10-2008 09:43 AM

Does anyone have a link to the documentation that specifically states that the VPN requires its own NAS? I have looked and cannot find anything. I know that it must be in-band, but other than that, I have seen no additional restriction. This little gotcha has created a rather nice customer sat issue, so any help is appreciated.

0 Helpful

jkeddington_2
Level 1
Level 1
In response to pstuder

‎02-10-2008 05:59 PM

You do not need two CAS's for LAN and Remote Access. I have deployed NAC internally and for Remote Access users with only 1 CAS. You will have to configure the CAS to be In-Band because Remote Access is dependent on that but VGW or Real-IP is up too you. Also you will need to be running 8.0 on either the ASA or PIX, but with the PIX going EOS you really should be using ASA's. I have been able to successfully configure SSO VPN with 1 CAM / CAS and an ASA running 8.0.3 but for some reason SSO VPN is not working with a PIX but I can use the CCA agent and login just fine.

0 Helpful

jkeddington_2
Level 1
Level 1
In response to jkeddington_2

‎02-10-2008 06:11 PM

Let me restate, if you have configured NAC as out of band, then yes you will need another CAS. If you have configured NAC as In-Band then no you can use the same CAS. The CAS can only be configure one way, either Out of Band or In-Band not both.

Here is a great resource if you are starting out with Cisco NAC:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

Cisco's Main Page for CCA NAC:

http://www.cisco.com/en/US/products/ps6128/index.html

This book is really good:

Cisco NAC Appliance

Enforcing Host Security with Clean Access

juancarlosorellana
Level 1
Level 1
In response to jkeddington_2

‎05-11-2010 10:37 AM

Hi i had other question in a nac vpn implementation in VG band or Real Ip gateway is possible to place an L2 switch between Cisco ASA and CAS?

I hope your help, thanks.

0 Helpful
Customers Also Viewed These Support Documents