You might want to do a Real-IP configuration for the NASs for VPN. I'll look at the diagram to see what you designed around.
Thanks
Jim
Jim Thomas
Area Networks, Inc.
CCIE Security #16674
CCSP,CCNP,CCDP
[email protected] <mailto:[email protected]>
Office: 650-242-8050
Cell: 916-342-2265
From: Cisco Clean Access Users and Administrators
[mailto:[email protected]] On Behalf Of Pete Boynton
Sent: Tuesday, August 18, 2009 9:32 AM
To: [email protected]
Subject: VLAN Assignments for In-Band Virtual Gateway
Hello,
I am trying to deploy a in-band solution for VPN users. There have been
a few surprises after having started this project.
1. Because users are coming in over a VPN the topology must be
in-band.
2. If you want to have redundant CAS servers they cannot be
separated by a NAT firewall from the CAM. Thus the reason why we have
the CAM in the DMZ with the CAS.
I have a diagram here:
http://www.flickr.com/photos/31154...@n07/3833723810/sizes/o/
My problem now is the ASA does not see the CAS as a L2 device as it
should. And DMZ switch does not see the ASA as a L2 device. In other
words on the ASA I don't see an arp entry for 192.168.48.3 and on the
switch I don't see an arp entry for 192.168.48.1.
What am I doing wrong?
<<image001.gif>>
<<image002.gif>>
<<image003.jpg>>
<<image004.jpg>>
<<image005.png>>
