Refresh Environment Data; Configure The Security Policy - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Guidelines for Cisco TrustSec
hostname(config)# no cts sxp connection peer 192.168.1.100
hostname(config)# cts sxp connection peer 192.168.1.100 source 192.168.1.1 password default mode peer speaker
hostname(config)# no cts sxp connection peer 192.168.1.100 source 192.168.1.1 password default mode peer
speaker
Refresh Environment Data
The ASA downloads environment data from the ISE, which includes the Security Group Tag (SGT) name
table. The ASA automatically refreshes its environment data that is obtained from the ISE when you
complete the following tasks on the ASA:
•
•
•
Normally, you do not need to manually refresh the environment data from the ISE; however, security
groups can change on the ISE. These changes are not reflected on the ASA until you refresh the data in
the ASA security group table, so refresh the data on the ASA to make sure that any security group
changes made on the ISE are reflected on the ASA.
We recommend that you schedule policy configuration changes on the ISE and the manual data refresh
Note
on the ASA during a maintenance window. Handling policy configuration changes in this way
maximizes the chances of security group names getting resolved and security policies becoming active
immediately on the ASA.
To refresh the environment data, perform the following steps:
Procedure
Step 1
Refresh the environment data from the ISE and reset the reconcile timer to the configured default value.
cts refresh environment-data
Example:
hostname(config)# cts refresh environment-data
Configure the Security Policy
You can incorporate Cisco TrustSec policy in many ASA features. Any feature that uses extended ACLs
(unless listed in this chapter as unsupported) can take advantage of Cisco TrustSec. You can add security
group arguments to extended ACLs, as well as traditional network-based parameters.
•
•
Cisco ASA Series Firewall CLI Configuration Guide
6-20
Configure a AAA server to communicate with the ISE.
Import a PAC file from the ISE.
Identify the AAA server group that the ASA will use to retrieve Cisco TrustSec environment data.
To configure an extended ACL, see the firewall configuration guide.
To configure security group object groups that can be used in the ACL, see
Group Object Groups, page
2-8.
Chapter 6
ASA and Cisco TrustSec
Configure Security
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
