Hello everyone. I have CAS and CAM setup. I would like to use the virtual gateway mode in order to check user connecting through a vpn concentrator. My questions is this. On the CAS, the trusted and managed ip addresses must be on different subnets. No problem. I am reading that the CAS must also be on a different subnet than the CAM. If this is the case, how will the cas be able to talk to the cam. Network config is the public concentrator port directly to dmz on the pix. The private port is connected directly to our lan switch. I would like to plug both cas interfaces into this same switch. I would also like to plug the cam into the same switch. Is this possible. If not, what would I need to do in terms of connections. Do the cam and cas have to be separated by a L3 device? Any help would be greatly appreciated. Going nuts playing with this, when it should be a pretty simple process. I'm missing something here.
This quick start guide is a brief introduction to the major features of the Cisco Clean Access Manager (CAM), Clean Access Server (CAS), web administration console, and Clean Access Agent using local authentication. It is intended to illustrate the minimum steps required to install and configure the CAM and CAS in order to test as Clean Access Agent client on the system. For comprehensive information, including details on configuring network scanning plugins and external authentication servers, refer to the Cisco Clean Access Manager Installation and Administration Guide and Cisco Clean Access Server Installation and Administration Guide, available from http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca35/index.htm
Note that the software installation procedure for the Clean Access Server is the same whether the CAS is in-band (IB) or out-of-band (OOB).
In Virtual Gateway deployment, the Clean Access Server operates as a standard Ethernet bridge and is typically used when the untrusted network already has a gateway and you do not wish to alter the existing configuration.
In VGW mode:
The trusted (eth0) and untrusted interfaces (eth1) of the CAS can use the same IP address.
The CAM and CAS must be on different VLANs.
The CAS should be configured for DHCP forwarding.
Make sure you configure managed subnets for the CAS.
Connectivity between CAM and CAS through a firewall: for release 3.5(x)+, TCP ports 80, 443, 1099, and 32768-61000 (usually 32768-32999 are sufficient) are required.
All this is from the CAM 3.6 manual.
So put the CAM on the inside and the CAS in the DMZ, then open the ports listed above.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...