1-20
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec
Configuring the ASA for Cisco TrustSec Integration
Configuring the Security Policy
You can incorporate TrustSec policy in many ASA features. Any feature that uses extended ACLs (unless
listed in this chapter as unsupported) can take advantage of TrustSec. You can now add security group
arguments to extended ACLs, as well as traditional network-based parameters.
• To configure an extended ACL, see Chapter 1, “Adding an Extended Access Control List.”
• To configure security group object groups, which can be used in the ACL, see the “Configuring
Local User Groups” section on page 1-11.
For example, an access rule permits or denies traffic on an interface using network information. With
TrustSec, you can now control access based on security group. See Chapter 1, “Configuring Access
Rules.” For example, you could create an access rule for sample_securitygroup1 10.0.0.0 255.0.0.0,
meaning the security group could have any IP address on subnet 10.0.0.0/8.
You can configure security policies based on combinations of security group names (servers, users,
unmanaged devices, etc.), user-based attributes, and traditional IP-address-based objects (IP address,
Active Directory object, and FQDN). Security-group membership can extend beyond roles to include
device and location attributes and is independent of user-group membership.
Examples
The following example shows how to create an access list that uses a locally defined security object
group:
object-group security objgrp-it-admin
security-group name it-admin-sg-name
security-group tag 1
object-group security objgrp-hr-admin
security-group name hr-admin-sg-name // single sg_name
group-object it-admin // locally defined object-group as nested object
object-group security objgrp-hr-servers
security-group name hr-servers-sg-name
object-group security objgrp-hr-network
security-group tag 2
access-list hr-acl permit ip object-group-security objgrp-hr-admin any
object-group-security objgrp-hr-servers
The access list configured above can be activated by configuring an access group or configuring MPF.
Other examples:
!match src hr-admin-sg-name from any network to dst host 172.23.59.53
access-list idw-acl permit ip security-group name hr-admin-sg-name any host 172.23.59.53
!match src hr-admin-sg-name from host 10.1.1.1 to dst any
access-list idfw-acl permit ip security-group name hr-admin-sg-name host 10.1.1.1 any
!match src tag 22 from any network to dst hr-servers-sg-name any network
access-list idfw-acl permit ip security-group tag 22 any security-group name hr-servers-sg-name any
!match src user mary from any host to dst hr-servers-sg-name any network
access-list idfw-acl permit ip user CSCO\mary any security-group name hr-servers-sg-name any
!match src objgrp-hr-admin from any network to dst objgrp-hr-servers any network
access-list idfw-acl permit ip object-group-security objgrp-hr-admin any object-group-security
objgrp-hr-servers any
!match src user Jack from objgrp-hr-network and ip subnet 10.1.1.0/24 to dst objgrp-hr-servers any network
access-list idfw-acl permit ip user CSCO\Jack object-group-security objgrp-hr-network 10.1.1.0
255.255.255.0 object-group-security objgrp-hr-servers any
!match src user Tom from security-group mktg any google.com
object network net-google
fqdn google.com
access-list sgacl permit ip sec name mktg any object net-google
To Next Page
Loading...
Need help?
General
