1-18
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec
Configuring the ASA for Cisco TrustSec Integration
To add an SXP connection peer, perform the following steps:
Command Purpose
Step 1
hostname(config)# cts sxp enable
If necessary, enables SXP on the ASA. By default,
SXP is disabled.
Step 2
hostname(config)# cts sxp connection peer
peer_ip_address [source source_ip_address] password
{default|none} [mode {local|peer}]
{speaker|listener}
Example:
hostname(config)# cts sxp connection peer
192.168.1.100 password default mode peer speaker
Sets up an SXP connection to an SXP peer. SXP
connections are set per IP address; a single device
pair can service multiple SXP connections.
Peer IP Address (Required)
Where peer_ip_address is the IPv4 or IPv6 address
of the SXP peer. The peer IP address must be
reachable from the ASA outgoing interface.
Source IP Address (Optional)
Where source_ip_address is the local IPv4 or IPv6
address of the SXP connection. The source IP
address must be the same as the ASA outbound
interface or the connection will fail.
We recommend that you do not configure a source IP
address for an SXP connection and allow the ASA to
perform a route/ARP lookup to determine the source
IP address for the SXP connection.
Password (Required)
Specifies whether to use the authentication key for
the SXP connection:
• default—Use the default password configured
for SXP connections. See Configuring the
Security Exchange Protocol (SXP), page 1-14.
• none—Do not use a password for the SXP
connection.
Mode (Optional)
Specifies the mode of the SXP connection:
• local—Use the local SXP device.
• peer—Use the peer SXP device.
Role (Required)
Specifies whether the ASA functions as a Speaker or
Listener for the SXP connection. See About Speaker
and Listener Roles on the ASA, page 1-5.
• speaker—ASA can forward IP-SGT mappings
to upstream devices.
• listener—ASA can receive IP-SGT mappings
from downstream devices.
To Next Page
Loading...
Need help?
General
