EasyManuals Logo

Cisco ASA Series Configuration Guide

Cisco ASA Series
428 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #107 background imageLoading...
Page #107 background image
6-25
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 6 ASA and Cisco TrustSec
Guidelines for Cisco TrustSec
Configure IP-SGT Bindings Manually
To configure IP-SGT bindings manually, perform the following steps:
Procedure
Step 1 Configure IP-SGT bindings manually.
cts role-based sgt-map [IPv4_addr | IPv6_addr] sgt sgt_value
Example:
hostname(config)# cts role-based sgt-map 10.2.1.2 sgt 50
The sgt sgt_value keyword-argument pair specifies the SGT number. Valid values are from 2-65519.
Troubleshooting Tips
Use the packet-tracer command to determine why a particular session was allowed or denied, which
SGT value is being used (from the SGT in the packet, from the IP-SGT manager, or from the policy
static sgt command configured on the interface), and which security group-based security policies were
applied.
The following example displays output from the packet-tracer command to show security group tag
mapping to an IP address:
hostname# packet-tracer input inside tcp inline-tag 100 security-group name alpha 30
security-group tag 31 300
Mapping security-group 30:alpha to IP address 10.1.1.2.
Mapping security-group 31:bravo to IP address 192.168.1.2.
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 outside....
----------------More---------------------
Use the capture capture-name type inline-tag tag command to capture only the Cisco CMD packets
(EtherType 0x8909) with or without a specific SGT value.
The following example displays output from the show capture command for a specified SGT value:
hostname# show capture my-inside-capture
1: 11:34:42.931012 INLINE-TAG 36 10.0.101.22 > 10.0.101.100: icmp: echo request
2: 11:34:42.931470 INLINE-TAG 48 10.0.101.100 > 10.0.101.22: icmp: echo reply
3: 11:34:43.932553 INLINE-TAG 36 10.0.101.22 > 10.0.101.100: icmp: echo request
4: 11.34.43.933164 INLINE-TAG 48 10.0.101.100 > 10.0.101.22: icmp: echo reply

Table of Contents

Other manuals for Cisco ASA Series

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ASA Series and is the answer not in the manual?

Cisco ASA Series Specifications

General IconGeneral
ModelASA 5505
InterfacesVaries by model (Fast Ethernet, Gigabit Ethernet, 10 Gigabit Ethernet, etc.)
High AvailabilityActive/Standby or Active/Active (varies by model)
Power SupplyVaries by model
Form FactorVaries by model
Operating SystemCisco ASA Software
IPsec VPNSupported
SSL VPNSupported
IPS ThroughputVaries by model

Related product manuals