I have a cisco 5520 firewall pair that is being used as a VPN gateway (for remote VPN users) and as Internet Edge firewall (to provide outbound internet connectivity).
We are enabling NAC for remote VPN users. I will be deploying it inband with layer 3 enabled.
The problem in this design is that how do we ensure that outbound internet traffic does not go through the CAS?
I have heard of couple of optioins:
- PBR ( to route only IP subnet of remote VPN users to go through CAS)
- Version 8.x feature of ASA ( Restrcit access to VLAN under group-policy).
I am planning to do it using ASA firewall where I can define a new subinterface on the ASA (with a new VLAN tag) and under group-policy for remote VPN users I select the option for "restrict access to the new VLAN".
My question is: does this still work (even if the firewall have a route for the internal network using the "inside" interface and NOT the new NAC interface). If this doesnt work, please let me know what are the other options for this type of deployment.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...