Cisco Cisco Clean Access 3.5

L3 deployments (and some VPN concentrators deployments) should not use Managed Subnets and 
should only use Static Routes to tell the CAS how route packets. The Static Route form (

lets you set up routing rules in the Clean Access Server. Static Routes have the form:

Network / subnet mask / send packets to interface (trusted or untrusted) / Gateway IP address (optional) 

Any packet that comes into the CAS is evaluated based on static routes, then routed appropriately to the 
router. When the CAS receives a packet, it looks through its static route table, finds the most specific 
match, and if that route has a gateway specified, the CAS sends packets through that gateway. If no 
gateway is specified, then the CAS puts packets on the interface specified for the route (eth0 or eth1). 

If converting from L2 to L3 deployment, remove managed subnets and add static routes instead. 

 illustrates a Layer 3 deployment scenario that requires a static route. 

 illustrates a Layer 2 deployment scenario that requires a static route. In this case, the Clean 

Access Server operates as a Virtual Gateway. Two gateways exist on the trusted network (GW1 and 
GW2). The address for the second gateway, GW2, is outside the address space of the first gateway, which 
includes the Clean Access Server interfaces. The static route ensures that traffic intended for GW2 is 
correctly passed to the Clean Access Server’s trusted interface (eth0). 

Rest of the

Network

Clean Access

Server

10.1.51.1

10.1.52.1

Client

Client

10.1.51.0/24

10.1.52.0/24

Client

Client

eth0

eth1

10.1.1.1

CAS needs to have 3 static routes:
10.1.51.0 / 255.255.255.0 eth1 10.1.51.1
10.1.52.0 / 255.255.255.0 eth1 10.1.52.1
10.1.1.0 / 255.255.255.255 eth0