Name: Cisco ASA 5512-X
Brand: Cisco
Rating: 5 (1 reviews)

To Next Page

To Previous Page

6-26

Cisco ASA Series Firewall CLI Configuration Guide

Chapter 6 ASA and Cisco TrustSec

Example for Cisco TrustSec

The following example shows how to configure the ASA to use Cisco TrustSec:

// Import an encrypted CTS PAC file

cts import-pac asa.pac password Cisco

// Configure ISE for environment data download

aaa-server cts-server-list protocol radius

aaa-server cts-server-list host 10.1.1.100 cisco123

cts server-group cts-server-list

// Configure SXP peers

cts sxp enable

cts sxp connection peer 192.168.1.100 password default mode peer speaker

//Configure security-group based policies

object-group security objgrp-it-admin

security-group name it-admin-sg-name

security-group tag 1

object-group security objgrp-hr-admin

security-group name hr-admin-sg-name

group-object it-admin

object-group security objgrp-hr-servers

security-group name hr-servers-sg-name

access-list hr-acl permit ip object-group-security objgrp-hr-admin any

object-group-security objgrp-hr-servers

//Configure security group tagging plus Ethernet tagging

interface gi0/1

cts manual

propagate sgt

policy static sgt 100 trusted

cts role-based sgt-map 10.1.1.100 sgt 50

AnyConnect VPN Support for Cisco TrustSec

ASA Version 9.3(1) fully supports security group tagging of VPN sessions. A Security Group Tag (SGT)

can be assigned to a VPN session using an external AAA server, or by configuration of the local user

database. This tag can then be propagated through the Cisco TrustSec system over Layer 2 Ethernet.

Security group tags are useful on group policies and for local users when the AAA server cannot provide

an SGT.

If there is no SGT in the attributes from the AAA server to assign to a VPN user, then the ASA uses the

SGT in the default group policy. If there is no SGT in the group policy, then tag 0x0 is assigned.

Typical Steps for a Remote User Connecting to a Server

1. A user connects to the ASA.

2. The ASA requests AAA information from the ISE, which may include an SGT. The ASA also

assigns an IP address for the user’s tunneled traffic.

3. The ASA uses AAA information to authenticate and creates a tunnel.

4. The ASA uses the SGT from AAA information and the assigned IP address to add an SGT in the

Layer 2 header.

5. Packets that include the SGT are passed to the next peer device in the Cisco TrustSec network.

Cisco ASA 5512-X Specifications

General

Firewall Throughput	1.2 Gbps
VPN Throughput	200 Mbps
Maximum VPN Peers	250
Integrated IPS	Yes
IPS Throughput	250 Mbps
RAM	4 GB
Power Supply	AC, 100-240V
Security Contexts	2 (Standard), 50 (with Security Contexts license)
Interfaces	6 x Gigabit Ethernet
Dimensions (H x W x D)	1.75 x 17.5 x 14.5 inches
Weight	16 lbs

Cisco ASA 5512-X Configuration Guide

Table of Contents

Other manuals for Cisco ASA 5512-X

Questions and Answers:

Cisco ASA 5512-X Specifications

Related product manuals