We had a hell of a time deploying our Clean Access Server in as a Virtual Gateway in a central deployment. We were deploying the device for VPN users to do assessment of thier machines. So far all is working alright. We had to change the original design becuase of the hardware limitations of the 3550 we have in our DMZ. You cant have one machine with two identical IPs in two different SVIs. It doesnt support it, so we had to bring the CAS into the core where that is supported on the right IOS. The VPN clients only need to get to the Terminal Server farm in this diagram:
So after a call in with TAC we got it working but it took some effort. Now I am reviewing the config and trying to document every important part of it. Then my boss asks me about the line:
route NAC_homeagents_vlan702 0.0.0.0 0.0.0.0 10.1.7.9 2
He says it does make sense and asks me to get rid of it. I do and all connections for the VPN users are dropped. He says it looks like a loop to him, and I am not too sure if he is right.
The idea here is the VPN traffic should be IN-band with the CAS. I also will admit that TAC told me I needed this but I am not able to explain why it is there.
Thanks for any input that could clarify this for me,