Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

Cisco Clean Access installation question

Hello everyone. I have CAS and CAM setup. I would like to use the virtual gateway mode in order to check user connecting through a vpn concentrator. My questions is this. On the CAS, the trusted and managed ip addresses must be on different subnets. No problem. I am reading that the CAS must also be on a different subnet than the CAM. If this is the case, how will the cas be able to talk to the cam. Network config is the public concentrator port directly to dmz on the pix. The private port is connected directly to our lan switch. I would like to plug both cas interfaces into this same switch. I would also like to plug the cam into the same switch. Is this possible. If not, what would I need to do in terms of connections. Do the cam and cas have to be separated by a L3 device? Any help would be greatly appreciated. Going nuts playing with this, when it should be a pretty simple process. I'm missing something here.

  • Other Security Subjects

Re: Cisco Clean Access installation question

This quick start guide is a brief introduction to the major features of the Cisco Clean Access Manager (CAM), Clean Access Server (CAS), web administration console, and Clean Access Agent using local authentication. It is intended to illustrate the minimum steps required to install and configure the CAM and CAS in order to test as Clean Access Agent client on the system. For comprehensive information, including details on configuring network scanning plugins and external authentication servers, refer to the Cisco Clean Access Manager Installation and Administration Guide and Cisco Clean Access Server Installation and Administration Guide, available from

Note that the software installation procedure for the Clean Access Server is the same whether the CAS is in-band (IB) or out-of-band (OOB).

Re: Cisco Clean Access installation question

In Virtual Gateway deployment, the Clean Access Server operates as a standard Ethernet bridge and is typically used when the untrusted network already has a gateway and you do not wish to alter the existing configuration.

In VGW mode:

• The trusted (eth0) and untrusted interfaces (eth1) of the CAS can use the same IP address.

• The CAM and CAS must be on different VLANs.

• The CAS should be configured for DHCP forwarding.

• Make sure you configure managed subnets for the CAS.

Connectivity between CAM and CAS through a firewall: for release 3.5(x)+, TCP ports 80, 443, 1099, and 32768-61000 (usually 32768-32999 are sufficient) are required.

All this is from the CAM 3.6 manual.

So put the CAM on the inside and the CAS in the DMZ, then open the ports listed above.