NAC implementation

Unanswered Question
May 29th, 2009


Could I have some help in placing CAS and CAM servers in my existing topology :).

Indeed I want to verify the conformity of Remote users(Connected Via VPN) to my inside servers by NAC, but I have some difficult in placing them.

Is it possible to configure the CAS in VGW mode?

please view the topology in attachement.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Fri, 05/29/2009 - 06:41

is there a network (with servers or PC's) that sits between the front and back firewalls? I don't often see designs like this with back to back firewalls.

What type of vpn/fw device sits closest to your ISP router?

you will have to configure the CAS in an in-band mode, either L3 or VGW.

i.ennassiri Fri, 05/29/2009 - 07:18

1/The FW that is closest to the ISP router is an ASA5550.the back FW is a fortinet.

The front FW is used as a VPN server, and there is a 2 DMZ, one for AAA Server, AD, CA Server. and the other is for Web servers.

The back firewall is used to protect mission critical servers, and other networks connected to it.

2/The network that I want to protect using NAC is a set of servers that will be accessed by VPN users.

Where should I place the CAM and CAS servers.


husycisco Sun, 05/31/2009 - 17:43

Hello Ismail,

The Auth DMZ looks like a suitable zone to place NAM.

Couple of questions, Im no pro in Fortinet, can you do source routing with it? Is the inside switch a L3 switch?


i.ennassiri Sun, 05/31/2009 - 23:51

the inside switch is a catalyst 3560, it supports L3.

so for the CAS , where I can place it? Can I configure it as Virtual gateway?



This Discussion