I have a cisco 5520 firewall pair that is being used as a VPN gateway (for remote VPN users) and as Internet Edge firewall (to provide outbound internet connectivity).
We are enabling NAC for remote VPN users. I will be deploying it inband with layer 3 enabled.
The problem in this design is that how do we ensure that outbound internet traffic does not go through the CAS?
I have heard of couple of optioins:
- PBR ( to route only IP subnet of remote VPN users to go through CAS)
- Version 8.x feature of ASA ( Restrcit access to VLAN under group-policy).
I am planning to do it using ASA firewall where I can define a new subinterface on the ASA (with a new VLAN tag) and under group-policy for remote VPN users I select the option for "restrict access to the new VLAN".
My question is: does this still work (even if the firewall have a route for the internal network using the "inside" interface and NOT the new NAC interface). If this doesnt work, please let me know what are the other options for this type of deployment.
Thanks in advance.