6-25
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 6 ASA and Cisco TrustSec
Guidelines for Cisco TrustSec
Configure IP-SGT Bindings Manually
To configure IP-SGT bindings manually, perform the following steps:
Procedure
Step 1 Configure IP-SGT bindings manually.
cts role-based sgt-map [IPv4_addr | IPv6_addr] sgt sgt_value
Example:
hostname(config)# cts role-based sgt-map 10.2.1.2 sgt 50
The sgt sgt_value keyword-argument pair specifies the SGT number. Valid values are from 2-65519.
Troubleshooting Tips
Use the packet-tracer command to determine why a particular session was allowed or denied, which
SGT value is being used (from the SGT in the packet, from the IP-SGT manager, or from the policy
static sgt command configured on the interface), and which security group-based security policies were
applied.
The following example displays output from the packet-tracer command to show security group tag
mapping to an IP address:
hostname# packet-tracer input inside tcp inline-tag 100 security-group name alpha 30
security-group tag 31 300
Mapping security-group 30:alpha to IP address 10.1.1.2.
Mapping security-group 31:bravo to IP address 192.168.1.2.
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 outside....
----------------More---------------------
Use the capture capture-name type inline-tag tag command to capture only the Cisco CMD packets
(EtherType 0x8909) with or without a specific SGT value.
The following example displays output from the show capture command for a specified SGT value:
hostname# show capture my-inside-capture
1: 11:34:42.931012 INLINE-TAG 36 10.0.101.22 > 10.0.101.100: icmp: echo request
2: 11:34:42.931470 INLINE-TAG 48 10.0.101.100 > 10.0.101.22: icmp: echo reply
3: 11:34:43.932553 INLINE-TAG 36 10.0.101.22 > 10.0.101.100: icmp: echo request
4: 11.34.43.933164 INLINE-TAG 48 10.0.101.100 > 10.0.101.22: icmp: echo reply
To Next Page
Loading...
Need help?
General
