12-12-2011 03:38 AM - edited 03-10-2019 06:37 PM
Hi all,
if this post is in the wrong forum, then please let me know and I will move it to the correct forum.
I am intending in using a Cisco ISE Inline Posture Node for our VPN clients coming in through our ASA device. I'd like to know whether any functionality is lost when using the Inline Posture Node as a L3 routed device or a L2 Bridged device.
My preferred method, as i understand it, would be to go L2 mode so that I do not have to change any Network Addressing and the device and sit "InlIne" on my VLANs.
Any information on this would be grateful.
Thanks
Mario
12-15-2011 09:37 PM
It all depends on your setup, for L2 mode you will have to assign a vlan to your clients that come in on a specific group policy and that vlan must be the vlan that terminates on the untrusted interface of your ipep. From there the vlan mapping occurs taking those vpn clients from that GP vlan to a production vlan where they are routed through what ever access that are permitted in your authorization policies.
Basically we woudl have users from 10.x.x.x network to map to a vlan 10 on the ASA group policy, from there the actual routable vlan is 100 so from the ipep (posture node) we will setup the vlan mapping so that all traffic is forced through the ipep and through you production network.
Thanks,
Tarik Admani
05-09-2012 08:16 AM
Hi Tarik,
i know that it has been a while. We are going to be doing a Proof Of Concept with the ISE next week and I was wondering whether there are any recommended guides for setting up the ISE with the ASA for inline posturing and profiling of VPN clients?
Thanks
Mario
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide