Cisco Cisco Clean Access 3.5

This chapter discusses planning considerations for deploying the software. Topics include:

Before installing the Clean Access Server (CAS), you should consider how the Clean Access Server will 
fit into your existing network:

Choose the operating mode for the Clean Access Server—The operating mode determines the 
services the Clean Access Server will provide. For example, the CAS can operate as a bridge 
between the untrusted and trusted network, or it can operate as a gateway for the untrusted network. 

Deploy the Clean Access Server centrally or at the edge of your network.

This chapter describes operating modes and deployment options for the Clean Access Server. It also 
provides an overview of how the deployment options affect configuration of the Clean Access Server as 
well as any external elements in your network, such as routers. 

The Clean Access Server can operate in one of six modes: 

Virtual Gateway – Operates as an IP bridge between the untrusted network and an existing gateway, 
while providing IPSec, filtering, and other services.

Real-IP Gateway – Operates as the default gateway for the untrusted network.

NAT Gateway – Operates as an IP gateway and performs NAT (Network Address Translation) 
services for the untrusted network.

NAT Gateway mode is primarily intended to facilitate testing, as it requires the least amount of 
network configuration and is easy to initially set up. However, because NAT Gateway is limited 
in the number of connections it can handle, NAT Gateway mode (in-band or out-of-band) is NOT 
recommended for production deployment. In release 3.5(x), ports 49152~65535 are used for 
NAT Gateway mode, supporting a maximum of 16,384 simultaneous connections.