NAC Questions

Answered Question
Oct 21st, 2009

We have 2 CAS should be configured with HA are located in the WAN Zone of the FWSM. there is a static NAT means

static (inside,WAN) 10.0.0.1 10.0.0.1 netmask 255.255.255.255

where 10.0.0.1 is the ip of CAM and the cas has 20.0.0.1.

I have read that if the CAS and CAM sare across the firewall then CAM will not add CAS as HA unit. The above natting is above.

I have this problem too.
0 votes
Correct Answer by Faisal Sehbai about 7 years 3 months ago

If there's NAT in the picture, then yes, this won't work. If you can somehow remove the NAT and route between the CAS and CAM, then it should be fine.

[Edit] I just looked at the NAT closely and apologize for giving you the wrong information. The only scenario when NAT breaks things is when the IP addresses are different when you're NAT'ing (e.g. 10.x being nat'ed to 192.168.x when reaching the CAM etc)

In this scenario where the NAT and the actual IP are the same it should work. You'll just have to ensure that the required traffic flow is open between the devices.

HTH,

Faisal

Correct Answer by Faisal Sehbai about 7 years 3 months ago

Talha,

That is correct. HA with NAT'd CASs isn't supported.

HTH,

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Faisal Sehbai Wed, 10/21/2009 - 06:27

Talha,

That is correct. HA with NAT'd CASs isn't supported.

HTH,

Faisal

talha_490 Wed, 10/21/2009 - 07:23

Thanks Faisal,

So should i conclude that in my scenario it is not possible for me to configure CAS in HA.

Correct Answer
Faisal Sehbai Wed, 10/21/2009 - 07:26

If there's NAT in the picture, then yes, this won't work. If you can somehow remove the NAT and route between the CAS and CAM, then it should be fine.

[Edit] I just looked at the NAT closely and apologize for giving you the wrong information. The only scenario when NAT breaks things is when the IP addresses are different when you're NAT'ing (e.g. 10.x being nat'ed to 192.168.x when reaching the CAM etc)

In this scenario where the NAT and the actual IP are the same it should work. You'll just have to ensure that the required traffic flow is open between the devices.

HTH,

Faisal

talha_490 Wed, 10/21/2009 - 07:30

Dear Faisal,

The natting is a must as both the interfaces are of different security levels with inside and WAN as 100 and 70 respectively.

But why i am asking is because the nat command is not changing the ip address in my case as the translated ip is the same as the original ip.

static (inside,WAN) 10.0.0.1 10.0.0.1

but i have read the Doc as it talks about translated and original ip in general and there is no general details.

Actions

This Discussion