Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAC implementation


Could I have some help in placing CAS and CAM servers in my existing topology :).

Indeed I want to verify the conformity of Remote users(Connected Via VPN) to my inside servers by NAC, but I have some difficult in placing them.

Is it possible to configure the CAS in VGW mode?

please view the topology in attachement.



Re: NAC implementation

is there a network (with servers or PC's) that sits between the front and back firewalls? I don't often see designs like this with back to back firewalls.

What type of vpn/fw device sits closest to your ISP router?

you will have to configure the CAS in an in-band mode, either L3 or VGW.

Community Member

Re: NAC implementation

1/The FW that is closest to the ISP router is an ASA5550.the back FW is a fortinet.

The front FW is used as a VPN server, and there is a 2 DMZ, one for AAA Server, AD, CA Server. and the other is for Web servers.

The back firewall is used to protect mission critical servers, and other networks connected to it.

2/The network that I want to protect using NAC is a set of servers that will be accessed by VPN users.

Where should I place the CAM and CAS servers.


Re: NAC implementation

Hello Ismail,

The Auth DMZ looks like a suitable zone to place NAM.

Couple of questions, Im no pro in Fortinet, can you do source routing with it? Is the inside switch a L3 switch?


Community Member

Re: NAC implementation

the inside switch is a catalyst 3560, it supports L3.

so for the CAS , where I can place it? Can I configure it as Virtual gateway?


CreatePlease to create content