I have setup a lab with a OOB VGW setup. I have setup an authentication VLAN on the untrust interface of my CAS on vlan 120 which is mapped to internal production vlan 20 when assesment is done. So far everything works fine except the default GW.
I have a DHCP server that gives the following IP while I'm on vlan 120 (authentication vlan on untrust CAS port):
In VGW mode, I had to create a "Manage Subnet" ip address on CAS which is what I did. I've put 10.100.20.1 for VLAN 120. Is this correct ? Anyway, this is the only way I could figure out that I can send traffic across the CAS so my cisco clean agent could trigger.
My problem now is that on my internal network MSFC router I also have IP 10.100.20.1 used as a DG. So in authentication mode my laptop arp entry has the mac for the CAS for 10.100.20.1 ip address. I then authenticate and I'm bounced and switched to the prod VLAN 20 but my laptop still has the arp for the CAS and not my MSFC. Anyone had this problem ? Please send me info on how you fix this.
Maybe I'm wrong with the "Managed Subnet" ip I've put on vlan 120 but then how can my CAS can see traffic from my laptop if DG is different while I'm in authentication mode (vlan 120)?
I am setting up OOB VGW right now as well. You need to use another ip address from this subnet. Ideally exclude an ip from the dhcp range (to avoid any potential conflict), and assign it to the managed subnet. Got mine to work nicely.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :