10-15-2008 12:13 PM - edited 02-21-2020 03:59 PM
Hi
I have a customer who currently is using an ASA5520 as a firewall between his network and the Internet. He now wants remote VPN access with SecureID tokens for authentication added which is fine but he has also brought up NAC. Can I simply insert a NAC between the ASA and the internal network as in this Cisco document:
That looks like it will work fine for VPN access but what about the outgoing Internet access for the current internal users will that be OK still or do I need to use a separate ASA for VPN access with NAC. Oh yes will I need an ACS as well or can the NAC talk directly to the SecureID appliance either using radius or RSA's own protocol ? Sorry if these are dumb questions but he dropped the NAC stuff on me at the last minute and I just need to know the basics quickly and can work out the details later.
Thanks
Pat
10-17-2008 09:05 AM
You can use a single ASA for internet access and NAC VPN.
If the Cisco NAC Server is Real IP, you can implement Policy Based Routing to route your VPN traffic through the Cisco NAC Server and normal internet traffic will bypass the Cisco NAC Server.
If the Cisco NAC Server is VGW or you do not want PBR, you can terminate your VPN traffic on a separate interface (two interfaces into internal nework). Once you have the VPN traffic routing this way, implement the Cisco NAC solution by putting the Cisco NAC Server inline with this interface.
Cisco NAC VPN SSO uses Radius accounting packets to authenticate VPN users. The ASA will interface with the Token server. Once authenticated, the ASA will send a Radius accounting packet to the Cisco NAC Server.
VGW Example
NAC Appliance (Cisco Clean Access) In-Band Virtual Gateway for Remote Access VPN Configuration Example
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
Real IP example
Integrating with Cisco VPN Concentrators
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAS/s_vpncon.html
Regards,
Dan Laden
01-04-2010 11:36 AM
Hello, I want to deploy NAC for VPN users, but I have some questions about implementing because I want to put the CAS between the router and an ASA, but I want to pass through the CAS only VPN traffic, not the Internet that I do , In case I need to connect a second interface of the ASA to the CAS, some form today and if so I recommend making.
01-05-2010 04:30 AM
hello, I think you should to deploy the nac mode gateway real ip. I share with you the document join.
best regards.
01-06-2010 06:41 AM
Hello, I would like you to tell me why you think the implementation in real mode IP is better, and in what form this can benefit me, because through the CAS would pass all network traffic to the Internet and I need to just pass the VPN traffic, you'll be very grateful for your response
01-07-2010 11:47 AM
In the real IP mode where I have to configure the PBR? ever should need a second interface of the router to separate the traffic or is it necessary for both traffics pass through the CAS?
you may attach a small diagram of your recommendation?
01-08-2010 01:56 PM
Hello Daladen,
Do you have an example of setting the VPN on another interface? I've been around and around with Cisco support on how to do this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide