03-03-2010 06:22 AM - edited 02-21-2020 03:53 AM
Hi,
I am building a new VPN implementation for a customer using a Cisco ASA 5550 and a NAC 3350 appliance. Due to the availability of switch ports, my customer is inquiring to see if the ASA can be cabled directly to the untrust interface on the CAS. I plan to implement the CAS in VGW mode.
If this is possible, how would the VLAN Mapping work in VGW with this implementation? Do I need to configure a trunk on the ASA to pass the VLAN tags to the CAS to MAP the untrust to the trusted VLAN?
Thanks for your assistance.
03-03-2010 07:45 AM
Hello,
If you plan to connect the ASA directly to the Untrusted Interface then you would not need to worry about
VLAN mappings. This would be an edge deployment, the CAS in Virtual Gateway mode will bridge traffic
even if the ports are set as access ports.
The only thing you would have to configure would be the static route for the VPN client range pointing
to the ASA interface connected to the CAS.
The ASA 5550 is a pretty beefy box so if you are running firewall as well as VPN on that ASA you may
want to consider investing in another switch so that you only send your VPN traffic through the CAS.
If you connect the ASA to the CAS you also lose the ability to use redundancy in your setup.
The setup you are asking about though is possible and will work.
--Jesse
03-03-2010 08:03 AM
Thanks Jesse,
I do agree having this configuration will limit them on redundancy and most likely we will go with a switched approach. If we have both the untrusted and the trust interfaces connected to the same switch with an edge deployment do I need VLAN mapping configured or can the NAC bridge the two vlans without the mapping? I suspect without mapping we would introduce loops.
Based on the examples I've seen on cisco.com with VPN concentrators, VLAN mapping is used with 4 vlans. 2 are native vlans and a untrusted and an untrusted VLAN - this was the same approach I was going to use. Also note that the ASA will not be used for Internet access, only VPN. See below image - the ASA would connect to the switch as an access port on VLAN3. The customers internal lan would connect to VLAN2.
03-03-2010 08:12 AM
Having both interfaces connected to the same switch is the definition of
a Central Deployment.
At this point yes you would be required to set up VLAN mappings and it
would use 4 VLANs.
An edge deployment means that the devices on the untrusted side have no
physical connection to
the trusted devices.
The way I normally set it up is to have the Trusted Native VLAN be the
CAS management address.
The Untrusted Native VLAN would be set to a fake VLAN so no traffic can
be looped.
Then your traffic actually goes over the other two VLANs (an untrusted
to a trusted via a VLAN
mapping) which are trunked to the CAS. Your ASA (or the VPN sub
interface) will be in the
untrusted VLAN and your ASA's gateway will be in the Trusted VLAN.
--Jesse
03-03-2010 08:26 AM
Also you will not want to have your natives as VLAN 999 on both interfaces, this could cause a bridging
loop.
--Jesse
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide