Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
4
Replies

NAC Questions

Go to solution
talha_490
Level 1
Level 1

‎10-21-2009 06:04 AM - edited ‎02-21-2020 03:44 AM

We have 2 CAS should be configured with HA are located in the WAN Zone of the FWSM. there is a static NAT means

static (inside,WAN) 10.0.0.1 10.0.0.1 netmask 255.255.255.255

where 10.0.0.1 is the ip of CAM and the cas has 20.0.0.1.

I have read that if the CAS and CAM sare across the firewall then CAM will not add CAS as HA unit. The above natting is above.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Faisal Sehbai
Level 7
Level 7

‎10-21-2009 06:27 AM

Talha,

That is correct. HA with NAT'd CASs isn't supported.

HTH,

Faisal

View solution in original post

0 Helpful

Go to solution
Faisal Sehbai
Level 7
Level 7
In response to talha_490

‎10-21-2009 07:26 AM

If there's NAT in the picture, then yes, this won't work. If you can somehow remove the NAT and route between the CAS and CAM, then it should be fine.

[Edit] I just looked at the NAT closely and apologize for giving you the wrong information. The only scenario when NAT breaks things is when the IP addresses are different when you're NAT'ing (e.g. 10.x being nat'ed to 192.168.x when reaching the CAM etc)

In this scenario where the NAT and the actual IP are the same it should work. You'll just have to ensure that the required traffic flow is open between the devices.

HTH,

Faisal

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Faisal Sehbai
Level 7
Level 7

‎10-21-2009 06:27 AM

Talha,

That is correct. HA with NAT'd CASs isn't supported.

HTH,

Faisal

0 Helpful

Go to solution
talha_490
Level 1
Level 1
In response to Faisal Sehbai

‎10-21-2009 07:23 AM

Thanks Faisal,

So should i conclude that in my scenario it is not possible for me to configure CAS in HA.

0 Helpful

Go to solution
Faisal Sehbai
Level 7
Level 7
In response to talha_490

‎10-21-2009 07:26 AM

If there's NAT in the picture, then yes, this won't work. If you can somehow remove the NAT and route between the CAS and CAM, then it should be fine.

[Edit] I just looked at the NAT closely and apologize for giving you the wrong information. The only scenario when NAT breaks things is when the IP addresses are different when you're NAT'ing (e.g. 10.x being nat'ed to 192.168.x when reaching the CAM etc)

In this scenario where the NAT and the actual IP are the same it should work. You'll just have to ensure that the required traffic flow is open between the devices.

HTH,

Faisal

0 Helpful

Go to solution
talha_490
Level 1
Level 1
In response to Faisal Sehbai

‎10-21-2009 07:30 AM

Dear Faisal,

The natting is a must as both the interfaces are of different security levels with inside and WAN as 100 and 70 respectively.

But why i am asking is because the nat command is not changing the ip address in my case as the translated ip is the same as the original ip.

static (inside,WAN) 10.0.0.1 10.0.0.1

but i have read the Doc as it talks about translated and original ip in general and there is no general details.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card