CISCO NAC deployment with ASA for internal servers (DMZ)

We have deployed cisco ASA for our clients access to DMZ servers few months ago. Now we want to integrate cisco NAC solution without removing ASA
from infrastructure. What will be the best deployment mode of cisco NAC so that clients can also pass through cisco ASA access list also for filtering before reaching to dmz servers.
what gateway clients will use. Plz help.
Should i use Virtual Gateway or Real Gateway for NAC. Client should first come to NAC(CAS) and then through ASA to reach DMZ servers.

Hello,
This should work. Please review the attached PDF for more clarity on this topic: https://supportforums.cisco.com/docs/DOC-9102
HTH,
Faisal

Similar Messages

  • DNS for internal servers

    Okay, this should be simple, and maybe I'm just missing something.
    I've recently had to move from a 10.3.9 server to a 10.4.10 server. We have 2 servers in-house, the main one that runs DHCP/DNS/Mail, and a second one which does file service.
    Reference info:
    File Server - 192.168.2.105
    Mail Server - 192.168.2.99
    The mail server his handing out DHCP, with the following DNS entries:
    1st - 192.168.2.99
    2nd - 151.164.8.201
    3rd - 151.164.1.8
    The mail server had DNS turned up and has 1 primary zone: mail.kccompany.org at 192.168.2.99
    Under that it has 3 machines setup under that zone:
    fs - 192.168.2.105
    mail - 192.168.2.99
    www - 64.207.xxx.xxx
    Now, here's my problem: When my users try to lookup mail.kccompany.org, they get the external 216.xxx.xxx.xxx address, and not the internal 192.168.2.99 address. I have some mobile users who would like to use and access email from home. I have SMTP authentication working, but when they're inside the network, mail.kccompany.org doesn't translate to the internal address like it should. Am I missing something?
    DHCP leases are set for 8 hours. I have been working on this for a week, so they should have updated info. And doing a lookupd -flushdns doesn't seem to effect the issue.
    Any help would be greatly appreciated! Thanks.
    PowerBook G4 17   Mac OS X (10.4.10)   1.5G RAM

    As requested:
    // Include keys file
    include "/etc/rndc.key";
    // Declares control channels to be used by the rndc utility.
    // It is recommended that 127.0.0.1 be the only address used.
    // This also allows non-privileged users on the local host to manage
    // your name server.
    // Default controls
    controls {
    inet 127.0.0.1 port 54 allow {any;} keys {
    "rndc-key";
    options {
    directory "/var/named";
    recursion false;
    * If there is a firewall between you and nameservers you want
    * to talk to, you might need to uncomment the query-source
    * directive below. Previous versions of BIND always asked
    * questions using port 53, but BIND 8.1 uses an unprivileged
    * port by default.
    // query-source address * port 53;
    // # Adding this...
    forwarders {
    151.164.8.201;
    151.164.1.8;
    forward first;
    // # to here..
    // a caching only nameserver config
    zone "." IN {
    type hint;
    file "named.ca";
    zone "localhost" IN {
    type master;
    file "localhost.zone";
    allow-update { none; };
    zone "0.0.127.in-addr.arpa" IN {
    type master;
    file "named.local";
    zone "" IN {
    file ".bak";
    masters {
    type slave;
    zone "kccompany.org" in {
    file "kccompany.org.zone";
    type master;
    zone "200.168.192.in-addr.arpa" IN {
    file "db.192.168.200";
    type master;
    zone "xxx.207.64.in-addr.arpa" IN {
    file "db.64.207.xxx";
    type master;
    logging {
    category default {
    defaultlog;
    channel defaultlog {
    file "/Library/Logs/named.log";
    severity info;
    print-time yes;
    };

  • Cisco ISE deployment with HP Swithes

    Is there any compatibility matrix of cisco ISE with HP access swithes or there is any features restriction on HP access layer. The HP switches do support 802.1x.
    Thanks
    Qasim

    Qasim,
    The only compatibility with network access devices is all related to Cisco gear. It would be best to stick with a full supported solution for the sake of support. In my opinion this will be a nightmare to manage if an issue was to occur.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Cisco ACE 4710 - Health Monitoring for Real Servers

    Hi,
    I have setup the following health probe to check for the existence of a specific web page.  My intention is that when the web page is removed, the health check fails and the rserver status changes to 'out of service'.  Unfortunately, when I remove the web page, I see the health check fail, and the rserver state change to 'PROBE-FAILED', however the rserver does not go 'out of service' and continues to respond to requests.
    Can anyone see where I'am going wrong?
    Health check probe config
    probe http live_http_int
      interval 15
      passdetect interval 60
      request method get url /loadbalancer/internal.html
      expect status 199 201
      open 10
    RSERVER config
    rserver host Server1
      description Server1
      ip address 10.10.10.1
      conn-limit max 4000000 min 4000000
      probe live_http_int
      inservice
    rserver host Server2
      ip address 10.10.10.2
      conn-limit max 4000000 min 4000000
      probe live_http_int
      inservice

    Hi syannetwork,
    I think you have to "force" the failed server to close the connection when it has failed. Otherwise it will still serve the available HTML pages.
    Have a look at the "Configuring the ACE Action when a Server Fails" in the "Cisco Application Control Engine Module Server Load-Balancing Configuration Guide" and let me know if the following command helped:
    conf t
    serverfarm host ServerFarm
    failaction purge
    Have a good WE.
    Cheers
    LPL

  • Cisco WAAD Deployment with Allot Netenforcer

    Hi,
    While deploying Cisco waas in inline mode with allot,I am facing interface issues.
    Set up is like  router-->cisco waas-->allot-->l2 switch.
    Can you pleas hep.
    Regards
    Ravi

    Hi Ravi,
    I've had interface issues with inline cards whenever there's a speed difference, ie. 100m vs 1gb, etc, with the LAN/WAN endpoints. I'm not sure what type of interfaces your Netenforcer uses, but the following link may be helpful.
    http://conft.com/en/US/docs/app_ntwk_services/waas/wae/module/inline/installation/guide/17880fru.html#wp39911
    You may need a crossover cable somewhere inline.
    Hope this helps.

  • Cisco NAC deployment without Internet in infrastructure

    My Infrastructure dont have internet and no chance in future too due to security restrictions. Can i deploy NAC without internet in my infrastructure. We have Symantec Centeral AV Server (updated manually after downloading definitions from differenet infrastructure having internet) and Clients are updated from this server.
    In NAC i can not see Vendors list of AV. How to do all this.
    Thanks
    SRashid

    IF the APs are outside the freezer and the antennas are inside, then it should be fine.

  • Error with GPOs on Cisco NAC

    I have cisco nac deployed inband, all PCs had the CCA Agent deployed via a gpo before the migration. Now that all the systems are behind NAC inband, none of the systems will process GPOs, Machine or user policies. I have the unauthenticated role allowing all traffic to all the domain controllers, but with no luck. If i move the PC to a vlan that is not trunked to the CAS the GPOs process with no problem. Any ideas...?

    I think the ports list in the CAS Manual is not complete. Try this list of ports from the CAM Manual chapter:User Management: Traffic Control, Bandwidth, Schedule
    Allow TCP *:* Server/255.255.255.255: 88
    Allow UDP *:* Server/255.255.255.255: 88
    Allow TCP *:* Server/255.255.255.255: 389
    Allow UDP *:* Server/255.255.255.255: 389
    Allow TCP *:* Server/255.255.255.255: 445
    Allow UDP *:* Server/255.255.255.255: 445
    Allow TCP *:* Server/255.255.255.255: 135
    Allow UDP *:* Server/255.255.255.255: 135
    Allow TCP *:* Server/255.255.255.255: 3268
    Allow UDP *:* Server/255.255.255.255: 3268
    Allow TCP *:* Server/255.255.255.255: 139
    Allow TCP *:* Server/255.255.255.255: 1025

  • Question about cisco nac agent

    When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?
    Please answer me early. Thank you for your answer.

    Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.
    We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:
    1) You have to decide which vulnerabilities you want to scan for.
    2) The more plug-ins you enable, the longer (obviously) the scan takes.
    3) There are configuration steps for many of the plug-ins
    4) Your users will still need to go to a login page in order to be scanned.
    5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.
    From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).
    It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.
    Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.
    Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

  • NAC Agent only prompts for username and login on wireless

    Another question for the smart people of the world.
    I have had a couple laptops where the cisco NAC agent will prompt for a password and verify the computer via the wirless network but when I try to do that on the wired network, it sends me to the download page for the NAC agent. It doesnt seem to register that the NAC agent is installed and working even though it is.
    Any thoughts?
    Thanks

    Hi Jonathan,
    The NAC agent communicates with the CAS usiing the SWISS protocol. This protocol uses port 8095 for L2 adjacent devices to the CAS and 8096 protocol for L3 adjacent devices to the CAS.  Have you checked if these ports are allowed through to the CAS for the wired clients?  Do check the support logs on the CAM and CAS suggest something. If you can post the agent logs from the wired clients I could analize and let you know where the process is failing.
    Do let me know if this helps.
    Regards,
    Som

  • Windows 7 deployment with unwanted updates

    Hello! I have been deploying with MDT for some time now. My method is to fully update my golden image then run a TS to capture it. When I deploy that WIM in a new TS everything works and comes out fully activated with all post installed applications/configurations.
    One issue I do have is that we administer the updates for our clients. They are not able to change any settings for Windows Updates. I have set "protectmypc" parameter in the answer file to 3 to disable the updates but am still getting updates in
    queue. Since Group Policy disables settings for the updates they cannot be removed. Where in the process does these updates get checked for and how do I stop this from happening? My TS does not allow this due to the post task being disabled. Someone has to
    know what is going on. Regards,
    Joseph N. Sunderman | IT Professional

    Hi,
    How did you write the tab? It shoulbe be the like this below instead of "protectmypc".
    <OOBE>
       <HideEULAPage>true</HideEULAPage>
       <NetworkLocation>Other</NetworkLocation>
       <ProtectYourPC>3</ProtectYourPC>
       <SkipMachineOOBE>true</SkipMachineOOBE>
       <SkipUserOOBE>true</SkipUserOOBE>
    </OOBE>
    In addition, If you use group policy to achieve this, follow this:
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/0a46b8ac-0b16-4b87-a881-260c8d5609f7/disabling-windows-update-via-group-policy
    Karen Hu
    TechNet Community Support

  • Configuring Cisco ASA for site to site VPN ( Issue with setting up local network)

    OK, so our primary firewall is a checkpoint gateway. Behind that we have a cisco ASA for vpn users. I have a project at the moment where we need to connect to another company using site to site VPN through the cisco ASA, as the checkpoint gateway is unable to establish a permanent tunnel with the other companies Cisco ASA.
    What would be the best practise for setting up the local network on my side? Create the network on the ASA and then use a L2 vlan to connect to the Core switch? 
    Setup a L3 interface on the core switch and point it towards the checkpoint gateway which would then point to the ASA?
    When you have to select your local network through the site to site wizard do you have to put the inside network address of the ASA?
    Our network is setup like this: Access layer switch > Core 6500 Switch > Checkpoint-Firewall > Internet
    The ASA is connected to a checkpoint sub interface
    Any help would be beneficial as im new to cisco ASAs 
    Thanks
    Mark

    Mark
    If we understood more about your environment we might be able to give you better answers. My initial reaction was similar to the suggestion from Michael to use a L2 vlan. But as I think a bit more my attention is drawn to something that you mention in the original post. The ASA is there for VPN users. If the VPN users need to access your internal network then you probably already have something configured on the ASA that allows access to the internal network. Perhaps that same thing might provide access for your site to site VPN?
    HTH
    Rick

  • NAC 4.9 CAS inband with ASA 8.6

    We are working on a new deployment. The user logs in, the agent pops, and posture assessment happens. The screen for posture assessment closes at the test laptop. It acts like all is working. When we look at the inband user it shows as not having transitioned frm the auth the access VLAN. This is a simple install and the VLAN mapping is definitely there. Ideas?

    Steve,
    Here is a configuration guide for the ASA to CAS, its not the latest and greatest but this should work:
    http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
    When referrring to L2 and L3 adjacent this is different with respect to VGW and RIP.
    L2 and L3 refers to how the clients are positioned with respect to the CAS (not the CAM), are they being routed to the CAS untrusted interface or are they available on a vlan that the CAS can be a part of.
    VGW and RIP refers to the operation of the CAS, this is similar to the operation of the ASA, when it comes to transparent vs routed mode (you can use both the on same CAS), VGW bridges the two networks together, and RIP routes the traffic around and requires static routing since the CAS does not support dynamic routing protocols.
    You can use VGW by setting the group policy to route all tunneled traffic to an ip that is present on the trusted side of the CAS, also you can use the vlan attribute in the group-policy configuration to assign the remote users to a vlan which forces their traffic to flow through the CAS.
    http://cisconac.blogspot.com/2007/07/vpn-deployments-with-asa-80.html
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Does Cisco NAC Appliance deployment require CS-ACS?

    I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
    If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
    I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
    Anybody have any ideas on that?
    Thanks!

    Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
    Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
    Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
    Hope this helps.

  • Cisco NAC with VPN Concentrators

    Looking at the deployment guidelines for NAC integration with VPN Concentrators:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_vpncon.html
    Is it possible to define traffic which is exempt from NAC enforcement, for example traffic associated for LAN-to-LAN VPNs?

    NAC enforcements do not work for traffic types. Following links may help you
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/m_addSrv.html
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_cca.html

  • Does Cisco NAC support for HP Switches

    Dear all,
                         the existing network has HP switches , is there any way i can deploy Cisco NAC solution here ?
    Pls revert .
    thanks ,

    Cisco NAC has lots of limitations, and surly this is one of them. But while I respect the fact that cisco will not support NAC on HP switches. It can work. And it will perform just fine, once you understand “Cisco NAC” and able to configure it for the first time, you will be able to support it without the need of TAC.
    The idea is that Cisco NAC sends commands to the switches on the network to apply specific access list or Vlan changes, since Cisco can only speak Cisco, it does not know how to tell other switches to do that. . The work around is that you would have the NAC running in in-line mode on your network, yes this will introduce a bottleneck, but that is the only way to do it. The NAC then will look at the traffic based on the MAC or IP and apply set of policies depending on the source or the destinations.
    Please do your research and look at other NAC solutions before you decide the best vendor to go with.

Maybe you are looking for