I have a customer who currently is using an ASA5520 as a firewall between his network and the Internet. He now wants remote VPN access with SecureID tokens for authentication added which is fine but he has also brought up NAC. Can I simply insert a NAC between the ASA and the internal network as in this Cisco document:
That looks like it will work fine for VPN access but what about the outgoing Internet access for the current internal users will that be OK still or do I need to use a separate ASA for VPN access with NAC. Oh yes will I need an ACS as well or can the NAC talk directly to the SecureID appliance either using radius or RSA's own protocol ? Sorry if these are dumb questions but he dropped the NAC stuff on me at the last minute and I just need to know the basics quickly and can work out the details later.
You can use a single ASA for internet access and NAC VPN.
If the Cisco NAC Server is Real IP, you can implement Policy Based Routing to route your VPN traffic through the Cisco NAC Server and normal internet traffic will bypass the Cisco NAC Server.
If the Cisco NAC Server is VGW or you do not want PBR, you can terminate your VPN traffic on a separate interface (two interfaces into internal nework). Once you have the VPN traffic routing this way, implement the Cisco NAC solution by putting the Cisco NAC Server inline with this interface.
Cisco NAC VPN SSO uses Radius accounting packets to authenticate VPN users. The ASA will interface with the Token server. Once authenticated, the ASA will send a Radius accounting packet to the Cisco NAC Server.
NAC Appliance (Cisco Clean Access) In-Band Virtual Gateway for Remote Access VPN Configuration Example
Hello, I want to deploy NAC for VPN users, but I have some questions about implementing because I want to put the CAS between the router and an ASA, but I want to pass through the CAS only VPN traffic, not the Internet that I do , In case I need to connect a second interface of the ASA to the CAS, some form today and if so I recommend making.
Hello, I would like you to tell me why you think the implementation in real mode IP is better, and in what form this can benefit me, because through the CAS would pass all network traffic to the Internet and I need to just pass the VPN traffic, you'll be very grateful for your response
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :