NAC Appliance Configuration Question

Unanswered Question
Mar 3rd, 2010
User Badges:

Hi,


I am building a new VPN implementation for a customer using a Cisco ASA 5550 and a NAC 3350 appliance. Due to the availability of switch ports, my customer is inquiring to see if the ASA can be cabled directly to the untrust interface on the CAS. I plan to implement the CAS in VGW mode.


If this is possible, how would the VLAN Mapping work in VGW with this implementation? Do I need to configure a trunk on the ASA to pass the VLAN tags to the CAS to MAP the untrust to the trusted VLAN?


Thanks for your assistance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jedubois Wed, 03/03/2010 - 07:45
User Badges:
  • Cisco Employee,

Hello,

     If you plan to connect the ASA directly to the Untrusted Interface then you would not need to worry about

     VLAN mappings.  This would be an edge deployment, the CAS in Virtual Gateway mode will bridge traffic

     even if the ports are set as access ports.


     The only thing you would have to configure would be the static route for the VPN client range pointing

     to the ASA interface connected to the CAS.


     The ASA 5550 is a pretty beefy box so if you are running firewall as well as VPN on that ASA you may

     want to consider investing in another switch so that you only send your VPN traffic through the CAS.

     If you connect the ASA to the CAS you also lose the ability to use redundancy in your setup.


     The setup you are asking about though is possible and will work.

--Jesse

jpecarski Wed, 03/03/2010 - 08:03
User Badges:

Thanks Jesse,


I do agree having this configuration will limit them on redundancy and most likely we will go with a switched approach. If we have both the untrusted and the trust interfaces connected to the same switch with an edge deployment do I need VLAN mapping configured or can the NAC bridge the two vlans without the mapping? I suspect without mapping we would introduce loops.


Based on the examples I've seen on cisco.com with VPN concentrators, VLAN mapping is used with 4 vlans. 2 are native vlans and a untrusted and an untrusted VLAN - this was the same approach I was going to use. Also note that the ASA will not be used for Internet access, only VPN.  See below image - the ASA would connect to the switch as an access port on VLAN3. The customers internal lan would connect to VLAN2.


jedubois Wed, 03/03/2010 - 08:12
User Badges:
  • Cisco Employee,

Having both interfaces connected to the same switch is the definition of

a Central Deployment.

At this point yes you would be required to set up VLAN mappings and it

would use 4 VLANs.

An edge deployment means that the devices on the untrusted side have no

physical connection to

the trusted devices.

The way I normally set it up is to have the Trusted Native VLAN be the

CAS management address.

The Untrusted Native VLAN would be set to a fake VLAN so no traffic can

be looped.

Then your traffic actually goes over the other two VLANs (an untrusted

to a trusted via a VLAN

mapping) which are trunked to the CAS. Your ASA (or the VPN sub

interface) will be in the

untrusted VLAN and your ASA's gateway will be in the Trusted VLAN.

--Jesse

jedubois Wed, 03/03/2010 - 08:26
User Badges:
  • Cisco Employee,

Also you will not want to have your natives as VLAN 999 on both interfaces, this could cause a bridging

loop.

--Jesse

Actions

This Discussion