Unanswered Question
Oct 15th, 2008
User Badges:


I have a customer who currently is using an ASA5520 as a firewall between his network and the Internet. He now wants remote VPN access with SecureID tokens for authentication added which is fine but he has also brought up NAC. Can I simply insert a NAC between the ASA and the internal network as in this Cisco document:

That looks like it will work fine for VPN access but what about the outgoing Internet access for the current internal users will that be OK still or do I need to use a separate ASA for VPN access with NAC. Oh yes will I need an ACS as well or can the NAC talk directly to the SecureID appliance either using radius or RSA's own protocol ? Sorry if these are dumb questions but he dropped the NAC stuff on me at the last minute and I just need to know the basics quickly and can work out the details later.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Daniel Laden Fri, 10/17/2008 - 09:05
User Badges:
  • Cisco Employee,

You can use a single ASA for internet access and NAC VPN.

If the Cisco NAC Server is Real IP, you can implement Policy Based Routing to route your VPN traffic through the Cisco NAC Server and normal internet traffic will bypass the Cisco NAC Server.

If the Cisco NAC Server is VGW or you do not want PBR, you can terminate your VPN traffic on a separate interface (two interfaces into internal nework). Once you have the VPN traffic routing this way, implement the Cisco NAC solution by putting the Cisco NAC Server inline with this interface.

Cisco NAC VPN SSO uses Radius accounting packets to authenticate VPN users. The ASA will interface with the Token server. Once authenticated, the ASA will send a Radius accounting packet to the Cisco NAC Server.

VGW Example

NAC Appliance (Cisco Clean Access) In-Band Virtual Gateway for Remote Access VPN Configuration Example

Real IP example

Integrating with Cisco VPN Concentrators


Dan Laden

juancarlosorellana Mon, 01/04/2010 - 11:36
User Badges:

Hello, I want to deploy NAC for VPN users, but I have some questions about implementing because I want to put the CAS between the router and an ASA, but I want to pass through the CAS only VPN traffic, not the Internet that I do , In case I need to connect a second interface of the ASA to the CAS, some form today and if so I recommend making.

juancarlosorellana Wed, 01/06/2010 - 06:41
User Badges:

Hello, I would like you to tell me why you think the implementation in real mode IP is better, and in what form this can benefit me, because through the CAS would pass all network traffic to the Internet and I need to just pass the VPN traffic, you'll be very grateful for your response

juancarlosorellana Thu, 01/07/2010 - 11:47
User Badges:

In the real IP mode where I have to configure the PBR? ever should need a second interface of the router to separate the traffic or is it necessary for both traffics pass through the CAS?

you may attach a small diagram of your recommendation?

davidvanzummere... Fri, 01/08/2010 - 13:56
User Badges:

Hello Daladen,

Do you have an example of setting the VPN on another interface?  I've been around and around with Cisco support on how to do this.


This Discussion