04-29-2010 11:11 AM - edited 02-21-2020 04:37 PM
I have a cisco 5520 firewall pair that is being used as a VPN gateway (for remote VPN users) and as Internet Edge firewall (to provide outbound internet connectivity).
We are enabling NAC for remote VPN users. I will be deploying it inband with layer 3 enabled.
The problem in this design is that how do we ensure that outbound internet traffic does not go through the CAS?
I have heard of couple of optioins:
- PBR ( to route only IP subnet of remote VPN users to go through CAS)
- Version 8.x feature of ASA ( Restrcit access to VLAN under group-policy).
I am planning to do it using ASA firewall where I can define a new subinterface on the ASA (with a new VLAN tag) and under group-policy for remote VPN users I select the option for "restrict access to the new VLAN".
My question is: does this still work (even if the firewall have a route for the internal network using the "inside" interface and NOT the new NAC interface). If this doesnt work, please let me know what are the other options for this type of deployment.
Thanks in advance.
Solved! Go to Solution.
04-30-2010 12:07 AM
Hello,
This should work. Please review the attached PDF for more clarity on this topic: https://supportforums.cisco.com/docs/DOC-9102
HTH,
Faisal
04-30-2010 12:07 AM
Hello,
This should work. Please review the attached PDF for more clarity on this topic: https://supportforums.cisco.com/docs/DOC-9102
HTH,
Faisal
04-30-2010 07:02 AM
This is exactly what I was looking for.
Thank you for the response.
Regards,
Syed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide