1-19
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
access-list 100 ex deny ip user CISCO\abc any any
access-list 100 ex permit ip user NONE any any ----> these users will match AAA rule
access-list 100 ex deny any any
access-group 100 in interface inside
access-list 200 ex deny ip user ANY any any -----> skips users who already logged in
access-list 200 ex permit user NONE any any
aaa authenticate match 200 inside user-identity
See Chapter 1, “Configuring AAA Rules for Network Access.”
• Cloud Web Security—You can control which users are sent to the Cloud Web Security proxy server.
In addition, you can configure policy on the Cloud Web Security ScanCenter that is based on user
groups that are included in ASA traffic headers sent to Cloud Web Security. See Chapter 1,
“Configuring the ASA for Cisco Cloud Web Security.”
• VPN filter—Although VPN does not support identity firewall ACLs in general, you can use
configure the ASA to enforce identity-based access rules on VPN traffic. By default, VPN traffic is
not subject to access rules. You can force VPN clients to abide by access rules that use an identity
firewall ACL (no sysopt connection permit-vpn command). You can also use an identity firewall
ACL with the VPN filter feature; VPN filter accomplishes a similar effect as allowing access rules
in general.
• And many more...
Examples
AAA Rule and Access Rule Example 1
This example shows a typical cut-through proxy configuration to allow a user to log in through the ASA.
In this example, the following conditions apply:
• The ASA IP address is 172.1.1.118.
• The Active Directory domain controller has the IP address 71.1.2.93.
• The end user client has the IP address 172.1.1.118 and uses HTTPS to log in through a web portal.
• The user is authenticated by the Active Directory domain controller via LDAP.
• The ASA uses the inside interface to connect to the Active Directory domain controller on the
corporate network.
hostname(config)# access-list AUTH extended permit tcp any 172.1.1.118 255.255.255.255 eq http
hostname(config)# access-list AUTH extended permit tcp any 172.1.1.118 255.255.255.255 eq https
hostname(config)# aaa-server LDAP protocol ldap
hostname(config-aaa-server-group)# aaa-server LDAP (inside) host 171.1.2.93
hostname(config-aaa-server-host)# ldap-base-dn DC=cisco,DC=com
hostname(config-aaa-server-host)# ldap-group-base-dn DC=cisco,DC=com
hostname(config-aaa-server-host)# ldap-scope subtree
hostname(config-aaa-server-host)# ldap-login-dn cn=kao,OU=Employees,OU=Cisco Users,DC=cisco,DC=com
hostname(config-aaa-server-host)# ldap-login-password *****
hostname(config-aaa-server-host)# ldap-over-ssl enable
hostname(config-aaa-server-host)# server-type microsoft
hostname(config-aaa-server-host)# aaa authentication match AUTH inside LDAP
hostname(config)#
hostname(config)# http server enable
hostname(config)# http 0.0.0.0 0.0.0.0 inside
hostname(config)#
hostname(config)# auth-prompt prompt Enter Your Authentication
hostname(config)# auth-prompt accept You are Good
hostname(config)# auth-prompt reject Goodbye
To Next Page
Loading...
Need help?
General
