Having an upstream device NAT the 192.168.x.y network seems the easiest. On the CAS, you can limit the traffic to ntp, dns, www to AV or OS vendor sites, and your remediation servers. This would limit what actually passes through the CAS and gets NATed on its way to the Internet.
I also would recommend using either vrf or some IPSec tunnel to deliver the unauthorized traffic to the door-steps of the CAS if your this is a central deployment. This would make your unauthenticated network invisible/non routable in your trusted network. Regards, /Daniel On Tue, Aug 23, 2011 at 3:20 PM, Bruce Hodge <[email protected]>wrote: > You could always take the easy way out and set up a proxy cache, which > will take care of the NAT and add some security if you need it? > > > On 8/24/2011 6:08 AM, Riegert, Timothy J. wrote: > > IIRC, the use of the CAS as a NAT gateway is only permitted for testing > use as it has limited number of connections.**** > > ** ** > > Typically, if you’re doing a L3 / OOB / real IP solution, you utilize > policy-based routing to send the traffic through the CAS, and you would have > to perform NAT on a device that is further upstream (towards the Internet). > **** > > ** ** > > *From:* Cisco Clean Access Users and Administrators [ > mailto:[email protected] <[email protected]>] > *On Behalf Of *Allen, Richard D CW2 NG NG NGB > *Sent:* Tuesday, August 23, 2011 12:39 PM > *To:* [email protected] > *Subject:* Configuration question (UNCLASSIFIED)**** > > ** ** > > Classification: UNCLASSIFIED > Caveats: NONE**** > > Here is one for all you smart NAC admins – **** > > ** ** > > I am working on setting up layer 3 OOB real IP gateway and have everything > working except one part. My network uses public IP addresses (military) and > thus no NAT’ing is configured on the network. My un-auth VLAN is set as a > 192.168.x.x network and thus has no way to access the internet for > remediation. **** > > ** ** > > My question is – should internet traffic be flowing through the CAS and be > using the trusted IP address of the CAS or is it simply passed on with the > IP address of the un-auth network? And if so, what is the easiest way to > allow unauthorized network traffic limited access to the internet?**** > > ** ** > > ** ** > > Richard Allen**** > > CW2, SC, TNARNG**** > > J6 JFHQ**** > > 3041 Sidco Drive**** > > Nashville, TN 37204**** > > Comm: 615-313-7522**** > > DSN 683-7522**** > > ** ** > > ** ** > > > Classification: UNCLASSIFIED > Caveats: NONE**** > > > > -- > > Bruce Hodge > > Team Leader Networks and Communications Group > IT Services > The University of Newcastle, Australia > Phone: +61 2 492 15563 > Fax: +61 2 492 16910 > Email: [email protected] > Mobile: 0408 610 293 > IT Support: +61 2 492 17000 > > http://www.newcastle.edu.au/unit/it > CRICOS Provider Number: 00109J > >
<<UoN_logo_secondary.gif>>
