1-20
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
AAA Rule and Access Rule Example 2
hostname(config)# access-list listenerAuth extended permit tcp any any
hostname(config)# aaa authentication match listenerAuth inside ldap
hostname(config)# aaa authentication listener http inside port 8888
hostname(config)# access-list 100 ex permit ip user SAMPLE\user1 any any
hostname(config)# access-list 100 ex deny ip user SAMPLE\user2 any any
hostname(config)# access-list 100 ex permit ip user NONE any any
hostname(config)# access-list 100 ex deny any any
hostname(config)# access-group 100 in interface inside
hostname(config)# aaa authenticate match 200 inside user-identity
In this example, the following guidelines apply:
•
In
access
-
list
commands, “permit user NONE” rules should be written before the “access-list 100
ex deny any any” to allow unauthenticated incoming users trigger AAA Cut-Through Proxy.
•
In auth access-list command, “permit user NONE” rules guarantee only unauthenticated trigger
Cut-Through Proxy. Ideally they should be the last lines.
VPN Filter Example
Some traffic might need to bypass the Identity Firewall.
The ASA reports users logging in through VPN authentication or a web portal (cut-through proxy) to the
AD Agent, which distributes the user information to all registered ASA devices. Specifically, the IP-user
mapping of authenticated users is forwarded to all ASA contexts that contain the input interface where
HTTP/HTTPS packets are received and authenticated. The ASA designates users logging in through a
VPN as belonging the LOCAL domain.
There are two different ways to apply IDFW rules on VPN users.
•
Apply VPN-Filter with bypassing access-list check disabled
•
Apply VPN-Filter with bypassing access-list check enabled
Configuration Example -- VPN with IDFW Rule -1
By default, “sysopt connection permit-vpn" is enabled and VPN traffic is exempted from access-list
check. In order to apply regular interface based ACL rules for VPN traffic, VPN traffic access-list
bypassing needs to be disabled.
In the this example, if the user logs in from outside interface, the IDFW rules will control what network
resource he can access. All VPN users are be stored under domain LOCAL. Therefore, it is only
meaningful to apply the rules over LOCAL users or object-group containing LOCAL users.
! Apply VPN-Filter with bypassing access-list check disabled
no sysopt connection permit-vpn
access-list v1 extended deny ip user LOCAL\idfw any 10.0.0.0 255.255.255.0
access-list v1 extended permit ip user LOCAL\idfw any 20.0.0.0 255.255.255.0
access-group v1 in interface outside
>> Control VPN user based on regular IDFW ACLs
Configuration ExampleVPN with IDFW Rule -2
By default, "sysopt connection permit-vpn" is enabled, with VPN traffic access bypassing enabled.
VPN-filter can be used to apply the IDFW rules on the VPN traffic. VPN-filter with IDFW rules can be
defined in CLI username and group-policy.
In the example, when user idfw logs in, he is able to access to network resources in 10.0.00/24 subnet.
However, when user user1 loggs in, his access to network resources in 10.0.00/24 subnet will be denied.
Note that all VPN users will be stored under domain LOCAL. Therefore, it is only meaningful to apply
the rules over LOCAL users or object-group containing LOCAL users.
Note: IDFW rules can only be aplpied to vpn-filter under group-policy and are not available in all the
other group-policy features.
Summary of Contents for 5505 - ASA Firewall Edition Bundle
Page 28: ...Glossary GL 24 Cisco ASA Series CLI Configuration Guide ...
Page 61: ...P A R T 1 Getting Started with the ASA ...
Page 62: ......
Page 219: ...P A R T 2 Configuring High Availability and Scalability ...
Page 220: ......
Page 403: ...P A R T 2 Configuring Interfaces ...
Page 404: ......
Page 499: ...P A R T 2 Configuring Basic Settings ...
Page 500: ......
Page 533: ...P A R T 2 Configuring Objects and Access Lists ...
Page 534: ......
Page 601: ...P A R T 2 Configuring IP Routing ...
Page 602: ......
Page 745: ...P A R T 2 Configuring Network Address Translation ...
Page 746: ......
Page 845: ...P A R T 2 Configuring AAA Servers and the Local Database ...
Page 846: ......
Page 981: ...P A R T 2 Configuring Access Control ...
Page 982: ......
Page 1061: ...P A R T 2 Configuring Service Policies Using the Modular Policy Framework ...
Page 1062: ......
Page 1093: ...P A R T 2 Configuring Application Inspection ...
Page 1094: ......
Page 1191: ...P A R T 2 Configuring Unified Communications ...
Page 1192: ......
Page 1333: ...P A R T 2 Configuring Connection Settings and QoS ...
Page 1334: ......
Page 1379: ...P A R T 2 Configuring Advanced Network Protection ...
Page 1380: ......
Page 1475: ...P A R T 2 Configuring Modules ...
Page 1476: ......
Page 1549: ...P A R T 2 Configuring VPN ...
Page 1550: ......
Page 1965: ...P A R T 2 Configuring Logging SNMP and Smart Call Home ...
Page 1966: ......
Page 2059: ...P A R T 2 System Administration ...
Page 2060: ......
Page 2098: ...1 8 Cisco ASA Series CLI Configuration Guide Chapter 1 Troubleshooting Viewing the Coredump ...
Page 2099: ...P A R T 2 Reference ...
Page 2100: ......