Deployment Scenarios - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
About the Identity Firewall
•
•
•
•
Scalability
•
•
•
•
•
•
•
Availability
•
•
•
•
•
•
Deployment Scenarios
You can deploy the components of the Identity Firewall in the following ways, depending on your
environmental requirements.
The following figure shows how you can deploy the components of the Identity Firewall to allow for
redundancy. Scenario 1 shows a simple installation without component redundancy. Scenario 2 also
shows a simple installation without redundancy. However, in this deployment scenario, the Active
Directory server and AD Agent are co-located on the same Windows server.
Cisco ASA Series Firewall CLI Configuration Guide
5-4
Supports a fully qualified domain name (FQDN) for the source and destination of a user identity
policy.
Supports the combination of 5-tuple policies with ID-based policies. The identity-based feature
works in tandem with the existing 5-tuple solution.
Supports use with IPS and Application Inspection policies.
Retrieves user identity information from remote access VPN, AnyConnect VPN, L2TP VPN and
cut-through proxy. All retrieved users are populated to all ASAs that are connected to the AD Agent.
Each AD Agent supports 100 ASAs. Multiple ASAs are able to communicate with a single AD
Agent to provide scalability in larger network deployments.
Supports 30 Active Directory servers provided the IP address is unique among all domains.
Each user identity in a domain can have up to 8 IP addresses.
Supports up to 64,000 user identity-IP address mapped entries in active policies for the ASA 5500
Series models. This limit controls the maximum number of users who have policies applied. The
total number of users are the aggregate of all users configured in all different contexts.
Supports up to 512 user groups in active ASA policies.
A single access rule can contain one or more user groups or users.
Supports multiple domains.
The ASA retrieves group information from the Active Directory and falls back to web authentication
for IP addresses when the AD Agent cannot map a source IP address to a user identity.
The AD Agent continues to function when any of the Active Directory servers or the ASA are not
responding.
Supports configuring a primary AD Agent and a secondary AD Agent on the ASA. If the primary
AD Agent stops responding, the ASA can switch to the secondary AD Agent.
If the AD Agent is unavailable, the ASA can fall back to existing identity sources such as
cut-through proxy and VPN authentication.
The AD Agent runs a watchdog process that automatically restarts its services when they are down.
Allows a distributed IP address/user mapping database for use among ASAs.
Chapter 5
Identity Firewall
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
