Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CAS/CAM Out-of-Band Noob

Hello,

We have just acquired a CAS and a CAM on 3310s running 4.6.1. We have remote (all over the country) Windows clients who presently connect to our home offices via Cisco AnyConnect Client. I am struggling to understand the best way to set this up, however there is one requirement:

1.If the CAS or CAM becomes unavailable users should still be able to connect to the network where they need to go. We don't want these boxes to stop users from doing their job and we see the added security they offer as highly valuable but NOT mandatory.

With that in mind I think I should be looking at OOB setups. Questions:

1.Do I assume correctly that an OOB setup is what I want?

2.What type of Clean Access Server type should I be using? Real-IP Gateway or Virtual Gateway?

3.I have seen a Configuration Example (Doc ID 71573) for In-Band Virtual Gateway for Remote Access VPN, but not an example of an Out-of-Band setup. Anyone know where I might find that?

Any help is much appreciated,

Pedro

  • Other Security Subjects
19 REPLIES
New Member

Re: CAS/CAM Out-of-Band Noob

OK I am comming back to this question because I have found out a few things. First of all the remote VPN users will be doing Single Sign On with our ASA firwall. This setup makes In-Band mandatory. Also we will be doing Virtual Gateway on the CAS as I see this as the least disruptive to the existing network. They call it a bump-in-the line.

My business requirement has lossened up as well. We will now get another CAS for fault-tolerence. If the CAM goes down the CAS will fail open, but before with the one CAS down, we were dead in the water. Now with two CAS I am hoping my chanced of both dying isnt too great.

So I am trying to follow Doc ID 71573 and I cant get it to work for me.

The problem starts when I set the Management VLAN IDs (see attchment CAS_VLAN1.gif)

As soon as I do that and then do Vlan Map (see attchment CAS_VLAN_MAP.gif)and reboot the CAS I loose access to the CAS.

I made sure not to phsically connect the eth1 (untrusted) port until all that was done, yet there is no way and I have to do reconfig of the CAS.

Questions:

1. Do the management VLAN IDs need to be the same as the VLANs that these ports are on the switch?

2. Do both ports on the CAS go to the same switch?

3. What would the switch setup look like (vlan wise)

Confused,

Pedro

New Member

Re: CAS/CAM Out-of-Band Noob

OK I have some of this working.

What I did:

1. The trusted eth0 on the CAS is is configured as so on the switch:

interface FastEthernet0/15

description eth0(trusted) on Clean Access Server

switchport trunk native vlan 997

switchport trunk allowed vlan 30,702

switchport mode trunk

spanning-tree portfast

Where VLAN 30 is where the RADIUS server lives and VLAN 702 is the Management VLAN for the trusted.

Once I did that I could see the CAS again and manage it.

I dont know if I mentioned this but this is a TEST environment still. I am including a diagram of the topology as it is right now.

I still dont know what to do with the untrusted interface of the CAS. What VLAN? What Switch?

Also the TESTASA needs to go to the same switch as well no? What VLANs does it talk on?

Getting closer. PLease advise. I am going a little nuts.The diagram lacks the RADIUS server which is in VLAN 30 with the CAM

New Member

Re: CAS/CAM Out-of-Band Noob

One more time:

Here is the way I have it set up now and I have played with variations of this and I am not getting this to work. Please look over the diagram and see what the problem is.

Thank you very much,

Pedro

Just a reminder. I am trying to do an In-Band Virtual Gateway for VPN users.

New Member

Re: CAS/CAM Out-of-Band Noob

Hello,

Please verify the following:

1 Are you able to add CAS to CAM?

2.In CAS do you have the same IP for trusted and untrusted interface ?

3. In CAS do you have diffrent management VLANs for trusted and untrusted interface ?

4. In CAS do you have Enable for L3 support ?

5. Did you map the management Vlan of the untrusted interface to management Vlan of the trusted interface ( Under CCA Server>Advanced>Vlan MApping)?

6. Did you create a filter for ASA (Under Device Management>Filters>Device>New with option "allow")?

7. I thing you should add ASA as well as a floating device.

8 Are CAS and CAM on diffrent subnets?

As for the switch port you should do VLAN prunning on the trunk ports, allow untrusted management VLAN on the untrusted interface and trusted management VLAN on trusted interface.

And of course keep native vlans. Make sure native Vlans have No layer 3 interface on the Core. Untrusted management VLAN should NOT have layer 3 interface on the Core either.

Please let me know if it helps

New Member

Re: CAS/CAM Out-of-Band Noob

THANK YOU for answering my post. I was starting to think I was the only person to have ever tried this. Please look at my diagram in the last post. Now I will answer your questions:

>>1. Are you able to add CAS to CAM?<<

Yes. No problem there.

>>2.In CAS do you have the same IP for trusted and untrusted interface ? <<

Yes. Please see attachments in this post.

>>3. In CAS do you have diffrent management VLANs for trusted and untrusted interface ? <<

This is what I don't understand. What is the Manarment VLAN compared to Dummy VLAN compared to Allowed VLAN compared to Native VLAN??

>>4. In CAS do you have Enable for L3 support ? <<

Yes see attachments.

>>5. Did you map the management Vlan of the untrusted interface to management Vlan of the trusted interface ( Under CCA Server>Advanced>Vlan MApping)?<<

Same answer as number 3

>>6. Did you create a filter for ASA (Under Device Management>Filters>Device>New with option "allow")? <<

Yes, see attachemnts

>>7. I think you should add ASA as well as a floating device.<<

Done. See attachments

>>8 Are CAS and CAM on diffrent subnets?<<

Yes, please see attachment from priorpost

As for the last thing you mentioned. How can I do a VLAN without a VLAN interface on the core??

As you can see my biggest problem is understanding the VLAN assignments for each interface.

Thank you ,, thank you ,,, thank you for your help!!

Pedro

New Member

Re: CAS/CAM Out-of-Band Noob

Please try the following setting:

ASA-to-2960 switch port:

switchport access vlan 30

On the core and access switch:

conf term

vlan 30

On the core

conf term

vlan 30

vlan 702

interface vlan 702

ip address 10.1.7.9 255.255.255.248

no shut

for dummy vlans ( native vlans)

On the core:

conf term

vlan XY1 (Dummy 1)

vlan XY2 (Dummy 2)

for untrusted interface:

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 30

switchport trunk native vlan XY1

for trusted

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 702

switchport trunk native vlan XY2

Just VLAN 702 has a layer 3 interface. Interface VLAN with an IP address on the Core

You need of course layer 3 interface for CAM VLAN and other regular subnets.

New Member

Re: CAS/CAM Out-of-Band Noob

Hi There once again. I am getting closer ...I think. I have attached the latest configs.

I am assuming management VLAN is the the same as its IP subnet. So in my case, the management VLAN for the Trusted interface is 702, and the management VLAN for the Untrusted is 30.

1. Do I assume correctly?

You said that the Untrusted Management VLAN cannot have a VLAN interface. It does. VLAN 30 has an interface of 10.1.7.9/29

2. How do I fix this? This is a production VLAN and I dont want to mess anything up. Everything else I can change since its only a test setup.

You say I need to create the dummy VLANS on the core router. In my case I assume that is the 4507.

3. Do I assume correctly?

I appreciate this help very much,

Pedro

New Member

Re: CAS/CAM Out-of-Band Noob

Hello,

You need just to allow 702 vlan on trusted CAS.

10.1.7.9 should be IP of vlan 702 not vlan 30, since you have 702 on the trusted side.

To remove interface vlan 30

conf term

no interface vlan 30

then

interface vlan 702

ip address ( the same address you removed from interface vlan 30 I'm assuming)

New Member

Re: CAS/CAM Out-of-Band Noob

Hi,

Please have a look at this latest setup:

http://www.flickr.com/photos/31154535@N07/3789143167/sizes/o/

As you can see in the diagram, I cannot remove vlan 30 from core switch. It is in production as a authentication vlan. Thats the vlan where the Radius server lives.

This makes me wonder how I am going to get this working if the untrusted vlan of the CAS cannot have a vlan interface anywhere in the network.

Confused,

Pete

229
Views
0
Helpful
19
Replies
This widget could not be displayed.