You can map the tunnel-groups to particular VLANs: interface GigabitEthernet0/1 nameif trunk security-level 100 no ip address ! interface GigabitEthernet0/1.10 vlan 10 nameif inside security-level 100 ip address 10.0.96.10 255.255.255.0 ! interface GigabitEthernet0/1.100 vlan 100 nameif nac security-level 100 ip address 172.16.200.5 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 12.34.56.78 1 route inside 10.0.100.0 255.255.255.0 10.0.96.254 1 route nac 10.0.100.0 255.255.255.0 172.16.200.1 255 ! group-policy NAC-Group internal group-policy NAC-Group attributes dns-server value 10.0.100.74 10.0.100.75 vpn-tunnel-protocol IPSec default-domain value hacme.com vlan 100 ! end
This will force the members of NAC-Group into VLAN 100. VLAN 100 is the untrusted VLAN and 200 would be trusted - create the mapping in the NAC Server. Support after 8.x Feel free to contact me with questions. Chris
