My concern with the tunneled keyword is that we terminate several l2l tunnels on the same appliance. If I use the tunneled keyword, would that route all tunneled traffic from both my remote access vpn users and my l2l connections? Or would that apply to only remote access users?
Thanks for your help! Lane On Wed, Feb 25, 2009 at 10:59 AM, Jim Thomas <[email protected]>wrote: > So usually in this environment when the vpn terminates the traffic will > follow the routing table to get to the inside, which usually bypasses the > NAS. In order to get VPN traffic routing through the DMZ to get to the > inside (basically ignoring the standard routing table) you can use the > “tunneled” option at the end of the static routes in the ASA. Here is a link > explaining the VPN gateway option: > http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd805f0bd6.html > > > > > > Jim > > > > Jim Thomas > > Area Networks, Inc. > > CCIE Security #16674 > > CCSP,CCNP,CCDP > > [image: https://au.sun.com/im/ic_email.gif] [email protected] > > [image: https://au.sun.com/im/ic_phone.gif] Office: 650-242-8050 > > [image: https://au.sun.com/im/ic_phone.gif] Cell: 916-342-2265 > > [image: cid:[email protected]] > > [image: CCIE] > > > > *From:* Cisco Clean Access Users and Administrators [mailto: > [email protected]] *On Behalf Of *Lane Clark > *Sent:* Wednesday, February 25, 2009 9:16 AM > *To:* [email protected] > *Subject:* Re: Remote users and NAC > > > > The asa is providing both. > > On Wed, Feb 25, 2009 at 9:51 AM, Jim Thomas <[email protected]> > wrote: > > Is the ASA providing firewall services to the internal network as well or > just VPN services to these remote users? > > > > Thanks > > Jim > > > > Jim Thomas > > Area Networks, Inc. > > CCIE Security #16674 > > CCSP,CCNP,CCDP > > [image: https://au.sun.com/im/ic_email.gif] [email protected] > > [image: https://au.sun.com/im/ic_phone.gif] Office: 650-242-8050 > > [image: https://au.sun.com/im/ic_phone.gif] Cell: 916-342-2265 > > [image: cid:[email protected]] > > [image: CCIE] > > > > *From:* Cisco Clean Access Users and Administrators [mailto: > [email protected]] *On Behalf Of *Lane Clark > *Sent:* Wednesday, February 25, 2009 8:32 AM > *To:* [email protected] > *Subject:* Remote users and NAC > > > > I am trying to deploy NAC for my vpn users. I am trying to land the vpn > users in a dmz off of my asa and then run them through an inline nac > appliance. Has anybody done this successfully? How are all of you > deploying nac for remote users? Any help would be appreciated, we are > pretty frustrated at this point. This shows what we are trying to > accomplish. > > Remote Users --- ASA ---- DMZ ---- Untrusted Interface ---- CAS ---- > Trusted Interface ---- Internal Network > > > Thanks for any help. > > Lane > > >
<<image002.gif>>
<<image004.jpg>>
<<image001.gif>>
<<image003.jpg>>
<<image005.png>>
