Configuration Example - Cisco ASA Series Cli Configuration Manual
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring the ASA to Integrate with Cisco TrustSec
! If user Tom or object_group security objgrp-hr-admin needs to be matched, multiple ACEs can be defined as
follows:
access-list idfw-acl2 permit ip user CSCO\Tom 10.1.1.0 255.255.255.0 object-group-security
objgrp-hr-servers any
access-list idfw-acl2 permit ip object-group-security objgrp-hr-admin 10.1.1.0 255.255.255.0
object-group-security objgrp-hr-servers any
Collecting User Statistics
To activate the collection of user statistics by the Modular Policy Framework and match lookup actions
for the Identify Firewall, enter the following command:
Command
user-statistics [accounting | scanning]
Example:
hostname(config)# class-map c-identity-example-1
hostname(config-cmap)# match access-list
identity-example-1
hostname(config-cmap)# exit
hostname(config)# policy-map p-identity-example-1
hostname(config-pmap)# class c-identity-example-1
hostname(config-pmap)# user-statistics accounting
hostname(config-pmap)# exit
hostname(config)# service-policy p-identity-example-1
interface outside
Configuration Example
The following configuration example shows how to perform a complete configuration to integrate the
ASA with Cisco TrustSec:
// Import an encrypted CTS PAC file
// Configure ISE for environment data download
// Configure SXP peers
//Configure security-group based policies
cts import-pac asa.pac password Cisco
aaa-server cts-server-list protocol radius
aaa-server cts-server-list host 10.1.1.100 cisco123
cts server-group cts-server-list
cts sxp enable
cts sxp connection peer 192.168.1.100 password default mode peer speaker
object-group security objgrp-it-admin
security-group name it-admin-sg-name
security-group tag 1
object-group security objgrp-hr-admin
security-group name hr-admin-sg-name
group-object it-admin
object-group security objgrp-hr-servers
security-group name hr-servers-sg-name
access-list hr-acl permit ip object-group-security objgrp-hr-admin any
object-group-security objgrp-hr-servers
Purpose
Activates the collection of user statistics by the Modular
Policy Framework and matches lookup actions for the
Identify Firewall.
The accounting keyword specifies that the ASA collect the
sent packet count, sent drop count, and received packet count.
The scanning keyword specifies that the ASA collect only the
sent drop count.
When you configure a policy map to collect user statistics, the
ASA collects detailed statistics for selected users. When you
specify the user-statistics command without the accounting
or scanning keywords, the ASA collects both accounting and
scanning statistics.
Cisco ASA Series CLI Configuration Guide
Configuration Example
1-21
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
