Cisco ASA Series Cli Configuration Manual page 924
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Configuring the ASA for Cisco TrustSec Integration
Configuring the Security Policy
You can incorporate TrustSec policy in many ASA features. Any feature that uses extended ACLs (unless
listed in this chapter as unsupported) can take advantage of TrustSec. You can now add security group
arguments to extended ACLs, as well as traditional network-based parameters.
•
•
For example, an access rule permits or denies traffic on an interface using network information. With
TrustSec, you can now control access based on security group. See
Rules."
meaning the security group could have any IP address on subnet 10.0.0.0/8.
You can configure security policies based on combinations of security group names (servers, users,
unmanaged devices, etc.), user-based attributes, and traditional IP-address-based objects (IP address,
Active Directory object, and FQDN). Security-group membership can extend beyond roles to include
device and location attributes and is independent of user-group membership.
Examples
The following example shows how to create an access list that uses a locally defined security object
group:
object-group security objgrp-it-admin
security-group name it-admin-sg-name
security-group tag 1
object-group security objgrp-hr-admin
security-group name hr-admin-sg-name
group-object it-admin
object-group security objgrp-hr-servers
object-group security objgrp-hr-network
access-list hr-acl permit ip object-group-security objgrp-hr-admin any
object-group-security objgrp-hr-servers
The access list configured above can be activated by configuring an access group or configuring MPF.
Other examples:
!match src hr-admin-sg-name from any network to dst host 172.23.59.53
access-list idw-acl permit ip security-group name hr-admin-sg-name any host 172.23.59.53
!match src hr-admin-sg-name from host 10.1.1.1 to dst any
access-list idfw-acl permit ip security-group name hr-admin-sg-name host 10.1.1.1 any
!match src tag 22 from any network to dst hr-servers-sg-name any network
access-list idfw-acl permit ip security-group tag 22 any security-group name hr-servers-sg-name any
!match src user mary from any host to dst hr-servers-sg-name any network
access-list idfw-acl permit ip user CSCO\mary any security-group name hr-servers-sg-name any
!match src objgrp-hr-admin from any network to dst objgrp-hr-servers any network
access-list idfw-acl permit ip object-group-security objgrp-hr-admin any object-group-security
objgrp-hr-servers any
!match src user Jack from objgrp-hr-network and ip subnet 10.1.1.0/24 to dst objgrp-hr-servers any network
access-list idfw-acl permit ip user CSCO\Jack object-group-security objgrp-hr-network 10.1.1.0
255.255.255.0 object-group-security objgrp-hr-servers any
!match src user Tom from security-group mktg any google.com
object network net-google
fqdn google.com
access-list sgacl permit ip sec name mktg any object net-google
Cisco ASA Series CLI Configuration Guide
1-20
To configure an extended ACL, see
To configure security group object groups, which can be used in the ACL, see the
Local User Groups" section on page
For example, you could create an access rule for sample_securitygroup1 10.0.0.0 255.0.0.0,
security-group name hr-servers-sg-name
security-group tag 2
Chapter 1
Configuring the ASA to Integrate with Cisco TrustSec
Chapter 1, "Adding an Extended Access Control List."
1-11.
// single sg_name
// locally defined object-group as nested object
"Configuring
Chapter 1, "Configuring Access
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
