Cisco Cisco Clean Access 3.5

For Virtual Gateway (In-Band or OOB), it is recommended to connect the untrusted interface (eth1) 
of the CAS to the switch only after the CAS has been added to the CAM via the web console. 

For Virtual Gateway with VLAN mapping (In-Band or OOB), the untrusted interface (eth1) of the 
CAS should not be connected to the switch until VLAN mapping has been configured correctly 
under Device Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping. 
See 

In the NAT Gateway configuration, the Clean Access Server functions similarly to the Real-IP Gateway 
configuration, but adds Network Address Translation (NAT) services. With NAT, clients are assigned IP 
addresses dynamically from a private address pool. The Clean Access Server performs the translation 
between the private and public addresses as traffic is routed between the untrusted (managed) and 
external network. The Clean Access Server supports standard, dynamic NAT and 1:1 NAT. In 1:1 NAT, 
there is a one-to-one correlation between public and private addresses. With 1:1 NAT, you can map port 
numbers as well as IP addresses for translation. 

NAT Gateway mode (In-Band or Out-of-Band) is not recommended for production deployment.

 summarizes the features and advantages for each operating mode. 

CAS acts like a bridge for the managed 
network 

CAS acts as a DHCP passthrough.

CAS acts in an unobtrusive manner.

Good you do not want to modify the existing 
network. 

There is no need to define static routes on the 
main router.

CAS acts as a gateway for the managed 
subnet. 

CAS is designated as a static route for the 
managed subnet. 

CAS can perform DHCP services, or act as a 
DHCP relay. 

Good for situations in which a new subnet 
can be used for the managed network.

Clients are assigned real IP addresses.

Takes advantage of the CAS’s advanced 
DHCP services.