Vpn With Idfw Rule -1 Example; Vpn With Idfw Rule -2 Example; Monitoring The Identity Firewall - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 5
Identity Firewall
VPN with IDFW Rule -1 Example
By default, the sysopt connection permit-vpn command is enabled and VPN traffic is exempted from
an access list check. To apply interface-based ACL rules for VPN traffic, VPN traffic access list
bypassing needs to be disabled.
In this example, if the user logs in from the outside interface, the IDFW rules control which network
resources are accessible. All VPN users are to be stored under the LOCAL domain. Therefore, it is only
meaningful to apply the rules for LOCAL users or object groups that include LOCAL users.
! Apply VPN-Filter with bypassing access-list check disabled
no sysopt connection permit-vpn
access-list v1 extended deny ip user LOCAL\idfw any 10.0.0.0 255.255.255.0
access-list v1 extended permit ip user LOCAL\idfw any 20.0.0.0 255.255.255.0
access-group v1 in interface outside
VPN with IDFW Rule -2 Example
By default, the sysopt connection permit-vpn command is enabled, with VPN traffic access bypassing
enabled. A VPN filter can be used to apply the IDFW rules to the VPN traffic. A VPN filter with IDFW
rules can be defined in the CLI username and group policy.
In the example, when user idfw logs in, the user can access network resources in the 10.0.00/24 subnet.
However, when user user1 logs in, access to network resources in 10.0.00/24 subnet is denied. Note that
all VPN users are stored under the LOCAL domain. Therefore, it is only meaningful to apply the rules
for LOCAL users or object groups that include LOCAL users.
IDFW rules can only be applied to VPN filters under group policy and are not available in all of the other
Note
group policy features.
! Apply VPN-Filter with bypassing access-list check enabled
sysopt connection permit-vpn
access-list v1 extended permit ip user LOCAL\idfw any 10.0.0.0 255.255.255.0
access-list v2 extended deny ip user LOCAL\user1 any 10.0.0.0 255.255.255.0
username user1 password QkBIIYVi6IFLEsYv encrypted privilege 0 username user1 attributes
username idfw password eEm2dmjMaopcGozT encrypted
username idfw attributes
sysopt connection permit-vpn
access-list v1 extended permit ip user LOCAL\idfw any 10.0.0.0 255.255.255.0 access-list
v1 extended deny ip user LOCAL\user1 any 10.0.0.0 255.255.255.0 group-policy group1
internal
group-policy group1 attributes
Monitoring the Identity Firewall
See the following commands for monitoring the Identity Firewall status:
•
vpn-group-policy group1 vpn-filter value v2
vpn-group-policy testgroup vpn-filter value v1
vpn-filter value v1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
show user-identity ad-agent
Monitoring the Identity Firewall
Cisco ASA Series Firewall CLI Configuration Guide
5-21
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
