Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

NAC- CAS Requirements

Unanswered Question

we have a main site that contains (1)CAM and (1) CAS and 250 users. we have 5 remote sites that connect to an ASA 5520 via DSL point to point VPN connections. There is no internet at these sites locally, they all access the internet through the main site. The remote sites have the same vlan setup as the main site. my core switch is a 3750 stack and all switches at remote sites are 3750's.

my question is do I need to place a CAS at each one of these locations or is there a possiblity to use the CAS at the main site. also if you could give recommedation on IB or OOB for this deployment. thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
husycisco Thu, 02/12/2009 - 01:46
User Badges:
  • Gold, 750 points or more

Hello Ryan,

When VPN termination is in place, OOB is not an option. You can use the CAS at main site.


so if I place the CAS in IB mode, the remote sites will use the untrusted interface of the CAS for all traffic for the access vlan?

if they want to hit the local domain controller, it will travel to the main site, and then back to the server vlan at the remote site?

how would I configure the switch at the remote branch to do so. would I just route all traffic from the client vlan to the untrusted CAS inteface

Is there any configuration that needs to be done on the lan to lan ASA's.


husycisco Thu, 02/12/2009 - 14:22
User Badges:
  • Gold, 750 points or more

Please ignore my previous post, I assumed VPN clients were in use.

Do you have devices that support PBR at branches? Do All branches have ASA firewall?

we have the main site. the main site has an asa for internet access. a cisco stack that contains our distrubution and access client. this is where our cam and cas connect. we have another ASA 5520 that is doing point to point connections to the 5 sites. those remote sites all have asa 5520's and are configured to use the vpn asa at the main site as thier default gateway.

we swithed the nac to real IP mode from oob today to start attempting the remote sites tomorrow.

That is exactly what we are planning, routing all traffic from the untrusted vlan to the main site CAS interface using PBR.

is this going to work with the ASA's?

what is the downside of doing it this way? do you see any issues or can you give any examples. some of these links are low bandwidth links.

thanks for all your help


This Discussion