CLEANACCESS Archives

February 2009

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Remote users and NAC
From:
Chris Perkins <[log in to unmask]>
Reply To:
Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:
Thu, 26 Feb 2009 00:21:49 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (40 lines) 
You can map the tunnel-groups to particular VLANs:

interface GigabitEthernet0/1
 nameif trunk
 security-level 100
 no ip address
!
interface GigabitEthernet0/1.10
 vlan 10
 nameif inside
 security-level 100
 ip address 10.0.96.10 255.255.255.0
!
interface GigabitEthernet0/1.100
 vlan 100
 nameif nac
 security-level 100
 ip address 172.16.200.5 255.255.255.0 
!
route outside 0.0.0.0 0.0.0.0 12.34.56.78 1
route inside 10.0.100.0 255.255.255.0 10.0.96.254 1
route nac 10.0.100.0 255.255.255.0 172.16.200.1 255
!
group-policy NAC-Group internal
group-policy NAC-Group attributes
 dns-server value 10.0.100.74 10.0.100.75
 vpn-tunnel-protocol IPSec 
 default-domain value hacme.com
 vlan 100
!
end

This will force the members of NAC-Group into VLAN 100.  VLAN 100 is the
untrusted VLAN and 200 would be trusted - create the mapping in the NAC
Server.  Support after 8.x

Feel free to contact me with questions.

Chris

ATOM RSS1 RSS2