Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC Questions

We have 2 CAS should be configured with HA are located in the WAN Zone of the FWSM. there is a static NAT means

static (inside,WAN) 10.0.0.1 10.0.0.1 netmask 255.255.255.255

where 10.0.0.1 is the ip of CAM and the cas has 20.0.0.1.

I have read that if the CAS and CAM sare across the firewall then CAM will not add CAS as HA unit. The above natting is above.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: NAC Questions

Talha,

That is correct. HA with NAT'd CASs isn't supported.

HTH,

Faisal

Re: NAC Questions

If there's NAT in the picture, then yes, this won't work. If you can somehow remove the NAT and route between the CAS and CAM, then it should be fine.

[Edit] I just looked at the NAT closely and apologize for giving you the wrong information. The only scenario when NAT breaks things is when the IP addresses are different when you're NAT'ing (e.g. 10.x being nat'ed to 192.168.x when reaching the CAM etc)

In this scenario where the NAT and the actual IP are the same it should work. You'll just have to ensure that the required traffic flow is open between the devices.

HTH,

Faisal

4 REPLIES

Re: NAC Questions

Talha,

That is correct. HA with NAT'd CASs isn't supported.

HTH,

Faisal

New Member

Re: NAC Questions

Thanks Faisal,

So should i conclude that in my scenario it is not possible for me to configure CAS in HA.

Re: NAC Questions

If there's NAT in the picture, then yes, this won't work. If you can somehow remove the NAT and route between the CAS and CAM, then it should be fine.

[Edit] I just looked at the NAT closely and apologize for giving you the wrong information. The only scenario when NAT breaks things is when the IP addresses are different when you're NAT'ing (e.g. 10.x being nat'ed to 192.168.x when reaching the CAM etc)

In this scenario where the NAT and the actual IP are the same it should work. You'll just have to ensure that the required traffic flow is open between the devices.

HTH,

Faisal

New Member

Re: NAC Questions

Dear Faisal,

The natting is a must as both the interfaces are of different security levels with inside and WAN as 100 and 70 respectively.

But why i am asking is because the nat command is not changing the ip address in my case as the translated ip is the same as the original ip.

static (inside,WAN) 10.0.0.1 10.0.0.1

but i have read the Doc as it talks about translated and original ip in general and there is no general details.

450
Views
0
Helpful
4
Replies