Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1823
Views
0
Helpful
18
Replies

NAC deployment on Remote Branch

syedaltaf.shah
Level 1
Level 1

‎06-30-2012 09:51 PM - edited ‎03-10-2019 07:15 PM

Hello guys,

I need help for deploying Cisco NAC on remote branch. i did all the necesary steps & configs but still no luck, On main site we have OOB-Real IP Gateway deployment. all the campus is deployed but for remote branch it is not working, we have inbetween firewalls & routers(offcorse) i have allowed IP any to NAC Server & Manager. but still no luck.

Is there any point i am missing do i have to do some extra config for remote branch ?

Labels:
0 Helpful
18 Replies 18

Tarik Admani
VIP Alumni
VIP Alumni

‎06-30-2012 10:53 PM

Syed,

Can you give us a brief example of your current setup? Do you have PBR setup in order to force the users through the CAS during posture assessment, also do you have the static routes configured on the CAS that will route the traffic back to the clients? Also do you have the static routes configured so that if any response that needs to reach these clients are set to go through the trusted ip address of the CAS?

Thanks

Tarik Admani

If you can post a visio please do so, it will make it much easier to see what the path is for the clients and the CAS'

0 Helpful

syedaltaf.shah
Level 1
Level 1
In response to Tarik Admani

‎06-30-2012 11:18 PM

Hi Tarik,

sorry i cannot paste visio, i will giv you brief, All of the answers Yes i did.

1. NAC CAM & CAS both in Datacenter.

2. Our campus is big, so we have routing within Campus, and on each branch within campus we configured PBR on Branch Core Switches. whic is working fine for within the Campus.

3. The remote branch which is connected through IPVPN & Leased Lines, i have configured PBR on Core Switch as we did in Campus. Forced the Cient subnet to communicate only with CAS if in unauthenticated VLAN, and routed to CAS IP.

4. Did the Static route in CAS for this Branch Subnet.

5. Configured ACLs on ASA from any to CAS & CAM All IPs (Trust,Untrust,Virtual,real)

Is there anything else required ?

0 Helpful

syedaltaf.shah
Level 1
Level 1
In response to syedaltaf.shah

‎06-30-2012 11:37 PM

Dear Tarik,

is it spossible the default vlan creating problem ??  that Branch is using Default VLAN, the Normal VLAN is default VLAN1 & have created Vlan 10 for un-authenticated users.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to syedaltaf.shah

‎07-01-2012 08:08 PM

Without understanding your network this is a little challenging to troubleshoot what you are facing. All clients must be on the unauthenticated vlan for their traffic to be isolated till they are authorized by the manager, where snmp is used to reassign the clients on the appropriate vlan.

Thanks,

Tarik

0 Helpful

syedaltaf.shah
Level 1
Level 1
In response to Tarik Admani

‎07-01-2012 09:20 PM

Dear Tarik,

i can draw u rough diagram, diagram in detail will be not possible. wud tht be enough ?

l

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to syedaltaf.shah

‎07-01-2012 09:29 PM

Yes,

We need to verify that your routing for the unauthenticated clients is symmetric and flows through the cas. You also want to configure the correct static routes.

0 Helpful

syedaltaf.shah
Level 1
Level 1
In response to Tarik Admani

‎07-02-2012 01:06 AM

Dear Tarik,

find below the rough diagram of this branch. i hope it helps ?

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to syedaltaf.shah

‎07-02-2012 09:57 AM

Syed,

From the remote branch are you forwarding all the tunneled traffic to the CAS virtual ip? Also with respect to static routes on the CAS are you pointing the untrusted clients subnets to the interface on the firewall?

When you open a web page to google for example what happens?

Thanks

Tarik Admani

0 Helpful

syedaltaf.shah
Level 1
Level 1
In response to Tarik Admani

‎07-02-2012 09:32 PM

Hi tarik,

1 From the remote branch are you forwarding all the tunneled traffic to the CAS virtual ip?

All traffic passing through tunnel, but un-authenticated traffic to CAS Virtual IP. through Policy.

2 Also with respect to static routes on the CAS are you pointing the untrusted clients subnets to the interface on the firewall.

No, its been routed to SVI on our core switches. we have CAS & CAM in Seprate VLAN, so routing those traffic to This interface on CoreSW.

Its not connected to internet. we hav no connection to internet, so anyway when it is in authenticated VLAN we cannot do anything, though i can reach to CAS & CAM IPs from clients but it is not shifted to normal VLAN,

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to syedaltaf.shah

‎07-02-2012 09:41 PM

Basically here is the traffic flow for example:

  • Unauthenticated clients are on 10.0.0.0/24, cas untrusted ip is 172.16.0.1/24 and trusted is 172.16.1.1/24
  • Unauthenticated traffic is routed to 172.16.0.1 via PBR for subnet 10.0.0.0/24
  • On your core switch you have a static route that points 10.0.0.0/24 to 172.16.1.1 (trusted CAS interface)
  • On your CAS configuration you have a static route that points 10.0.0.0/24 out the untrusted interface (over to the next hop which is usually the firewall interface).

I hope this makes senses, if it doesnt then you will need to contact your partner or open a TAC case so they can take a better look at your topology.

Thanks

Tarik Admani

0 Helpful

syedaltaf.shah
Level 1
Level 1
In response to Tarik Admani

‎07-02-2012 10:17 PM

Tarik,

On your core switch you have a static route that points 10.0.0.0/24 to 172.16.1.1 (trusted CAS interface)

You talking about the route in core switch of remote branch right???

i do not understand, first you are routing untrusted ip to untrusted interface of CAS then same traffic to trusted IP of CAS ?

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to syedaltaf.shah

‎07-03-2012 07:41 AM

Syed,

I apologize for the confusion. The traffic needs to be routed to the untrusted interface, where the CAS will then inspect the traffic and then route the interface through to its trusted interface, where it will hit the core. Your static routes in the core need to send any responses for these untrusted subnets back through the trusted interface, where the routing table inside the CAS will then send the traffic back out to the subnet for these clients. This is because the CAS do not support routing protocols.

I hope that clears up the confusion.

0 Helpful

syedaltaf.shah
Level 1
Level 1
In response to Tarik Admani

‎07-04-2012 10:53 PM

thanks Tarik for clearification.

These all have already been done, as i said from the Clients, either in Untrusted VLAN or trusted VLAN i can reach to CAS & CAM Ip addresses. All untrusted traffic for clients been forwarded to CAS untrusted IP using policy map in core of remote site. but still not working.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to syedaltaf.shah

‎07-04-2012 11:52 PM

Can you share the issue you are having? Is the traffic being dropped at the server?

How are you able to verify that all the traffic is symmetrically routing through the Cas?

What ports do you have opened for the unauthenticate role? In real ip mode all dns traffic isn't allowed unless you allow it.

Thanks,

Sent from Cisco Technical Support iPad App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents