I am trying to deploy a in-band solution for VPN users. There have been a few surprises after having started this project.
1. Because users are coming in over a VPN the topology must be in-band.
2. If you want to have redundant CAS servers they cannot be separated by a NAT firewall from the CAM. Thus the reason why we have the CAM in the DMZ with the CAS.
I have a diagram here:
My problem now is the ASA does not see the CAS as a L2 device as it should. And DMZ switch does not see the ASA as a L2 device. In other words on the ASA I don't see an arp entry for 192.168.48.3 and on the switch I don't see an arp entry for 192.168.48.1.
What am I doing wrong?