Ts SGFW Asa Lab Guide 2013 09 13 PDF

Lab Overview
EDCS-1224105
Cisco TrustSec Secure Group

Firewall with ASA Lab Guide
Developers and Lab Proctors
This lab is created by SAMPG TME teams.
Lab Overview
This lab is designed to help attendees understand the basics in deploying Cisco TrustSec Security
Group Firewall (SGFW) with Adaptive Security Appliance (ASA) and Identity Services Engine (ISE). Lab
participants should be able to complete the lab within the allotted time of 3 hours.
Lab Exercises
This lab guide includes the following exercises:
Part 1 Campus-to-DC SGFW Enforcement with ASA
Lab Exercise 1 : Campus-to-DC Configure Network Devices and Security Groups in ISE
Lab Exercise 2 : Campus-to-DC Configure ASA to download Security Group table
Lab Exercise 3 : Campus-to-DC Configure SXP in Network Devices
Lab Exercise 4 : Campus-to-DC Source and Destination IP-SGT
Lab Exercise 5 : Campus-to-DC Use ASDM to interact with ASA TrustSec features
Part 2 Intra-DC SGFW Enforcement with ASA
Lab Exercise 6 : Intra-DC Configure Network Devices and Security Groups in ISE
Lab Exercise 7 : Intra-DC Configure ASA to download Security Group table
Lab Exercise 8 : Intra-DC Configure SXP in Network Devices
Lab Exercise 9 : Intra-DC Source and Destination IP-SGT
TS_SGFW-ASA_Lab_Guide.docx
9/13/13 10:10 PM US/Pacific
Page 1 of 42
Product Overview
EDCS-1224105
Product Overview
The Cisco Secure Access and TrustSec is the Borderless Network access control solution, providing
visibility into and control over devices and users in the network.
Within this solution, Cisco Identity Service Engine (ISE) is a context aware identity-based platform that
gathers real-time information from the network, users, and devices. ISE then uses this information to
make proactive governance decisions by enforcing policy across the network infrastructure utilizing built
in standard based controls. Cisco ISE offers:
Security: Secures your network by providing real-time visibility into and control over the users and
devices on your network.
Compliance: Enables effective corporate governance by creating consistent policy across an
infrastructure.
Efficiency: Helps increase IT and network staff productivity by automating traditionally labor-intensive
tasks and streamlining service delivery.
Enablement: Allows IT to support a range of new business initiatives, such as bring your own device
(BYOD), through policy-enabled services.
Lab Topology
Page 2 of 42
Lab IP and VLANs
EDCS-1224105
Lab IP and VLANs

Internal IP Addresses
Device
Name/Hostname
IP Address
Access Switch (3560X)
3k-access.demo.local
10.1.100.1
Data Center Switch (3560CG)
3k-data.demo.local
10.1.129.3
Wireless LAN Controller (2504)
wlc.demo.local
10.1.100.61
Wireless Access Point (2602i)
ap.demo.local
10.1.90.x/24 (DHCP)
ASA (5515-X)
asa.demo.local
10.1.100.2
ISE Appliance
ise-1.demo.local
10.1.100.21
ISE Feed Server
ise-feedserver.demo.local
10.1.100.41
AD (AD/CS/DNS/DHCP)
ad.demo.local
10.1.100.10
NTP Server
ntp.demo.local
128.107.212.175
MobileIron
mobileiron.demo.local
10.1.100.15
Mail
mail.demo.local
10.1.100.40
LOB Web
lob-web.demo.local
10.1.129.12
portal.demo.local, updates.demo.local
10.1.129.8
business.demo.local
10.1.129.9
it.demo.local
10.1.129.10
records.demo.local
10.1.129.11
LOB DB
lob-db.demo.local
10.1.129.20
Admin (Management) Client
admin.demo.local
10.1.100.6
(also FTP Server)
ftp.demo.local
Windows 7 Client PC
w7pc-guest.demo.local
10.1.50.x/24 (DHCP)
Internal VLANs and IP Subnets

VLAN
VLAN Name
IP Subnet
Description
10
ACCESS
10.1.10.0/24
Authenticated users or access network using ACLs
20
MACHINE
10.1.20.0/24
Microsoft machine-authenticated devices (L3

segmentation)
IC-ASA-ACCESS
10.1.29.0/24
Interconnect subnet between ASA and Access switch
30
QUARANTINE
10.1.30.0/24
Unauthenticated or non-compliant devices (L3

segmentation)
40
VOICE
10.1.40.0/24
Voice VLAN
50
GUEST
10.1.50.0/24
Network for authenticated and compliant guest users
90
AP
10.1.90.0/24
Wireless AP VLAN
(29)
Page 3 of 42
Connecting to Lab Devices
Note:
EDCS-1224105
VLAN
VLAN Name
IP Subnet
Description
100
Management
10.1.100.0/24
Network services (AAA, AD, DNS, DHCP, etc.)
129
WEB
10.1.129.0/24
Line-of-business Web servers
130
DB
10.1.130.0/24
Line-of-business Database servers
Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity,
profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. The labs will
focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement.
Accounts and Passwords

Access To
Account (username/password)
Access Switch (3560X)
admin / ISEisC00L
Data Center Switch (3560X)
admin / ISEisC00L
Wireless LAN Controller (2504)
admin / ISEisC00L
ASA (5515-X)
admin / ISEisC00L
ISE Appliances
admin / ISEisC00L
AD (CS/DNS/DHCP/DHCP)
admin / ISEisC00L
Web Servers
admin / ISEisC00L
Admin (Management) Client
admin / ISEisC00L
Windows 7 Client
W7PC-guest\admin / ISEisC00L
(Local = W7PC-guest or W7PC-corp)
DEMO\admin / ISEisC00L
(Domain = DEMO)
DEMO\employee1 / ISEisC00L

Note:
To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for
access to all the other lab components
Note:
Admin PC access is through RDP, therefore you must have an RDP client installed on your computer
Connect to a POD
Step 1
Launch the Remote Desktop application on your system.

a. In the LabOps student portal, click on the Topology tab.
b. Click on the Admin PC, and then click on the RDP Client option that appears.
Page 4 of 42

c.
Note:
Note:
EDCS-1224105
Clicking on this option should launch your RDP client and connect you to the Admin PC.
Login as admin / ISEisC00L
All lab configurations can be performed from the Admin PC.

If the lab is manually delivered, the lab proctors will provide the access info.
Connect to ESXi Server and Virtual Machines

During the lab exercises, you may need to access and manage the computers running as virtual
machines.
Step 1
From the Admin client PC, click the VMware vSphere Client icon on the desktop
Step 2
Once logged in, you will see a list of VMs that are available on your ESXi server:
Step 3
You have the ability to power on, power off, or open the console (view) these VMs. To do so,
place the mouse cursor over VM name in the left-hand pane and right-click to select one of
these options.
Step 4
To access the VM console,

select Open Console from the
drop-down.
Page 5 of 42
Pre-Lab Setup Instructions

Step 5
EDCS-1224105
To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:
Connect to Lab Devices

To access the command line interfaces (CLI) of the lab switches, ISE servers, and others using SSH:
Step 1
From the Admin client PC, right click on the

PuTTY shortcut in the taskbar. Then, select
SSH, Telnet and Rlogin client from the popup menu.
Step 2
If the device name present in the saved

sessions, then double click on the saved
session item that matches the device name
(e.g, ise-1). If not, input the hostname or IP
address of the desired device in the Host
Name (or IP address) and click Open.
Step 3
If prompted, click Yes to cache the server

host key and to continue login.
Step 4
Login using the credentials listed in the

Accounts and Passwords table.

Basic Connectivity Test
To perform a basic connectivity test for the primary lab devices, run the pingtest.bat
script from the Windows desktop of the Admin client PC:
Verify that ping succeeds for all devices tested by script.
Note:
The ping test may fail for VMs that have not yet completed the boot process.
Page 6 of 42
EDCS-1224105
Basic ISE Configuration

Step 1
Access the ISE administrative web interface.

At Admin PC, launch Mozilla Firefox web browser. Enter this URL in the address bar:
https://ise-1.demo.local/
Note: Accept/Confirm any browser certificate warnings if present.
Login with username admin and password ISEisC00L

Step 2
Join to the Active Directory.

a. Go to Administration > Identity Management > External Identity Sources.
b. Pick Active Directory from the left-hand-side panel, and select ise-1 in the right-hand-side
connection tab.
c.
Click Join with AD domain admin credentials: administrator / ISEisC00L

Note: If the join fails due to clock skew, use putty ssh to ise-1 admin CLI and issue show ntp and show clock to check if the ntp
service is working. The ntp service may be corrected by a reload of ise-1 or a reset the VM.
Step 3
Disable log collection suppression

Starting from ISE 1.2, the log suppression is on by default to reduce monitoring data storage. In
order to see all log entries during troubleshooting, the suppression can be disabled either
globally or selectively per collection filters. In this lab, we will disable it globally, as shown in (a)
below.
a. Disable suppression globally
i. Go to Administration > System >
Settings, expand on Protocols, and
select RADIUS.
ii. Un-toggle the checkboxes Suppress
Anomalous Clients and Suppress
Repeated Successful
Authentications.
Page 7 of 42
EDCS-1224105
iii. Click Save when done.

b. (For reference only) Disable suppression per collection filter
i. Go to Administration > System > Logging, expand on Collection Filters, and click on
Add for a new filter.
ii. Select an attribute from the drop-down menu.
iii. Enter a value to match the attribute in (ii).
iv. Select Disable Suppression from the drop-down menu.
v. Click Submit.
Page 8 of 42
Part 1: Campus-to-DC SGFW Enforcement with ASA
EDCS-1224105
Part 1: Campus-to-DC SGFW Enforcement with

ASA
Logical Topology

Part 1 covers a common use case of using ASA to gauge the network accesses from a campus network to
a data center network. The goal is to allow a specific group of users (LOB_web_users) in the campus to
reach the web sites inside the data center. ASA enforcement may be in either routed or transparent
mode, and in either single or multiple contexts. An ASA context in routed mode is presented here.

Page 9 of 42
Lab Exercise 1: Campus-to-DC Configure Network Devices and Security Groups in ISE
EDCS-1224105
Lab Exercise 1: Campus-to-DC Configure

Network Devices and Security Groups in ISE
Exercise Description
This lab exercise covers the ISE configurations to prepare network devices for RADIUS
authentication and for retrieval of Cisco TrustSec environment data. It also provisions the
security groups for Campus-to-DC access control.
Exercise Objective
In this exercise, your goal is to configure ASA as a network device, in receiving Cisco TrustSec
environment data, in additions to the access level switch and WLC. This includes completion of
the following tasks:
Step 4
Update the authority ID in EAP-FAST settings
Verify the existing network devices 3k-access and wlc
Add an ASA (context) as a new network device
Create TrustSec security groups

a. On Admin PC, launch Mozilla Firefox web browser. Enter this URL in the address bar:
https://ise-1.demo.local/
b. Login with username admin and password ISEisC00L . The ISE Dashboard should
display. Navigate the interface using the multi-level menus.
Page 10 of 42
Step 5
EDCS-1224105
Update EAP-FAST A-ID

a. Navigate to Administration > System > Settings. From there, go to Protocols > EAPFAST > EAP FAST Settings.
b. In the text box next to Authority
Identity Info Description, change the
text to ise demo.
This will appear as part of PAC in later
exercises. It should be a unique string to
identify the ISE deployment that
distributes the PAC files.
c.
Step 6
Click Save.
Verify the Wireless LAN Controller configured as a Network Access Device in ISE
a. Navigate to Administration > Network Resources > Network Devices
b. Under Network Devices in the right-hand panel, select wlc.
c.
Check this network device pre-configured with the values shown in the following table:
Attribute
Name
Description
IP Address
Model Name
Software Version
Device Type
Location
Authentication Settings
Protocol
Shared Secret
Value
wlc
10.1.100.61 / 32
WLC
GOLD-Lab
RADIUS
ISEisC00L
d. Update as needed and click Save when finished.
Step 7
Verify the access switch 3k-access configured as a Network Access Device in ISE
a. Go back up to the Network Device List
at Administration > Network
Resources > Network Devices by
clicking on its breadcrumb hyperlink
b. Under Network Devices in the right-hand panel, select 3k-access.
Page 11 of 42
c.
EDCS-1224105
Check this network device is preconfigured with the values shown in the following table:
Attribute
Name
Description
IP Address
Model Name
Software Version
Device Type
Location
Authentication Settings
Protocol
Shared Secret
Value
3k-access
10.1.100.1 / 32
IOS-SW
GOLD-Lab
RADIUS
ISEisC00L
d. Update as needed and click Save when finished.

Step 8
Add an ASA context cx-ent as a Network Access Device in ISE

a. Go back up to the Network Device List
at Administration > Network
Resources > Network Devices by
clicking on its breadcrumb hyperlink
b. In the toolbar area, click on the botton

shown in the following table:
Add and enter the values for the new device as
Attribute
Name
Description
IP Address
Model Name
Software Version
Device Type
Location
Value
(see Note 1)
cx-ent
10.1.29.1 / 32
ASA
GOLD-Lab
Advanced TrustSec Settings

Device Authentication Settings
Use Device ID for SGA
Device Id c x- e nt
Password Anything
SGA Notifications and Updates
Download environment data
1 Days
every
Download peer authorization
1 Days
policy every
Reauthentication every 1 Days
Download SGACL lists every 1 Days
Other SGA devices to trust the
device
Notify this device about SGA
configuration changes
Device Configuration Deployment
(None configured)
(see Note 2)
Page 12 of 42
Attribute
Out Of Band (OOB) SGA PAC
Issue Date
Expiration Date
Issue By
EDCS-1224105
Value
Generate PAC
Note 1: The Name (Device ID) must be the same as the context name in ASA, which we will review in Lab Exercise 2. It is included
in the PAC for ASA to authenticate and retrieve the SG table from ISE
Note 2: The device password is not used because ASA supports only OOB PAC provisioning but needs to be a valid and nonempty string in order to save the NAD object.
c.
In the section Out Of Band (OOB) SGA PAC, click Generate PAC. In the pop-up dialog
box, input ISEisC00L as the Encryption Key.
Identity
Encryption Key
PAC Time to Live
c x- e nt
ISEisC00L
1 Years
Note: ASA uses this encryption key to import the PAC securely (Lab Exercise 2 Step 6).
d. Click on Generate PAC. In the pop-up window Opening cx-ent.pac of the Firefox browser,
click OK to accept the default Save File option to save the resulting pac file to the default
Downloads folder.
e. Click Submit when finished.
Step 9
Add Security Groups in ISE

a. Go to Policy > Policy Elements > Results. In the left-hand-side panel, select Security
Group Access > Security Groups.
Note: ISE assigns SGT automatically by default. To manually assign SGTs, go to Administration > System > Settings, select
Security Group Access in the left-hand-side panel, and then select All tags are manually defined in the right panel.
b. Add security group LOB_web_users

i. In the right panel, click
Add.
ii. Input LOB_web_users into the Name field.

iii. Submit to save this new security group with the assigned tag.
c.
Add security group LOB_web_servers

Add.
ii. Input LOB_web_servers into the Name field.

d. The resulting Name-SGT table shall be similar to below:
Name
Unknown
LOB_web_users
LOB_web_servers
SGT (Dec /Hex)

0 / 0000
2 / 0002
3 / 0003
You are now done preparing the ISE for the ASA context to download the TrustSec environment data.
End of Exercise: You have successfully completed this exercise.

Proceed to next section.
Page 13 of 42
Lab Exercise 2: Campus-to-DC Configure ASA to download Security Group table
EDCS-1224105
Lab Exercise 2: Campus-to-DC Configure ASA

to download Security Group table
This exercise will show how to enable an ASA context to download the security group (name-totag) table from ISE.
Exercise Objective
In this exercise, your goal is to work on a routed firewall context in ASA and configure it to
download TrustSec Security Group table from ISE:
Create an AAA server group to include ISE as the TrustSec server
Import EAP-FAST PAC generated from ISE
Verify SG table download
Step 1
Use putty to ssh to asa with the credentials admin / ISEisC00L
Step 2
At the prompt, enter the CLI command enable then give ISEisC00L as the enable password.
asa/cx-admin> enable
Password: ISEisC00L
asa/cx-admin#
Step 3
Switch the context to cx-ent by CLI command changeto context cx-ent

asa# changeto context cx-ent
asa/cx-ent#
Step 4
Review the running-config of the network interfaces and routing with the following CLI
commands in configuration mode:
show run interface
show run route
asa/cx-ent# show run interface
interface GigabitEthernet0/0
nameif campus
security-level 29
ip address 10.1.29.1 255.255.255.0
!
nameif web
security-level 100
ip address 10.1.129.1 255.255.255.0
!
nameif internet
security-level 0
ip address n0.n1.n2.n3 255.255.255.128
asa/cx-ent# show run route
route internet 0.0.0.0 0.0.0.0 n0.n1.n2.129 1
route campus 10.1.0.0 255.255.128.0 10.1.29.2 1
Page 14 of 42

Step 5
EDCS-1224105
Create AAA server group ts-ise, add ISE as the host, then designate it as the CTS server group
with the following CLI commands in configuration mode:
aaa-server ts-ise protocol radius
aaa-server ts-ise (campus) host 10.1.100.21
authentication-port 1812
accounting-port 1813
cts server-group ts-ise
asa/cx-ent# configure terminal
asa/cx-ent(config)# aaa-server ts-ise protocol radius
asa/cx-ent(config-aaa-server-group)# aaa-server ts-ise (campus) host 10.1.100.21
asa/cx-ent(config-aaa-server-host)# authentication-port 1812
asa/cx-ent(config-aaa-server-host)# accounting-port 1813
asa/cx-ent(config-aaa-server-host)# cts server-group ts-ise
asa/cx-ent(config)# end
asa/cx-ent#
Step 6
On the admin PC, move the cx-ent.pac file from admins Downloads folder to
C:\inetpub\ftproot\ on the admin PC. Then, import it into cx-ent:
cts import-pac ftp://10.1.100.6/cx-ent.pac password ISEisC00L
asa/cx-ent# cts import-pac ftp://10.1.100.6/cx-ent.pac password ISEisC00L
!PAC Imported Successfully
asa/cx-ent#
Step 7
Verify the PAC, the environment-data, and the SG table retrieved:

show cts pac
show cts environment-data
show cts environment-data sg-table
asa/cx-ent# show cts pac
PAC-Info:
Valid until: Aug 25 2013 23:42:16
AID:
0215c9b539f4f2f56a716ea5d4a04132
I-ID:
cx-ent
A-ID-Info:
ise demo
PAC-type:
Cisco Trustsec
PAC-Opaque:
000200b000030001000400100215c9b539f4f2f56a716ea5d4a0413200060094000301
00f85bbc5db6fea2d861e26c8d708a717200000001503707f300093a8002ae211d90b7
e2f4829d24eddfbf3c36b4d4766614463e7bb80ff5ee00532e0c725e0629da6652a518
89d66396e9ffaedbc13481e328f423d82ba6f00e82944fa191e9c84c5c10da94a85b18
c4cb60b1e6edcea331480164ab77a8dad7931a4d598c63b2672c3bb7b23028cdfd7965
ae2ce0c4a1
Note: The initiator identifier (I-ID) is cx-ent and A-ID-Info is ise demo. The authority identifier (A-ID) is configured in Lab Exercise 1
Step 2. And, I-ID in Lab Exercise 1 Step 5.
asa/cx-ent# show cts environment-data
CTS Environment Data
====================
Status:
Active
Last download attempt:
Successful
Environment Data Lifetime: 86400 secs
Last update time:
04:00:14 UTC Aug 27 2012
Env-data expires in:
0:23:58:34 (dd:hr:mm:sec)
Env-data refreshes in:
0:23:48:34 (dd:hr:mm:sec)
Note: If the download fails, check ISE live log and the NAD configuration for ASA.
To refresh or retry the download, use this command:
cts refresh environment-data
Page 15 of 42
EDCS-1224105
asa/cx-ent# show cts environment-data sg-table

Security Group Table:
Valid until: 04:00:14 UTC Aug 28 2012
Showing 4 of 4 entries
SG Name
------ANY
LOB_web_servers
LOB_web_users
Unknown
Step 8
SG Tag
-----65535
3
2
0
Type
------------unicast
unicast
unicast
unicast
Check ISE live authentication records for SG table download by the ASA
a. Switch to ISE admin web interface at the Firefox browser on the admin-PC
b. Re-login as admin / ISEisC00L if the session times out
c.
Navigate to Operations > Authentications

i. Live log entries will be similar to below:
Time S Identity
Endpoint ID
t-2 #CTSREQUEST#
t-1 #CTSREQUEST#
Event
CTS Data Download Succeeded
CTS Data Download Succeeded
ii. The authentication results are in the tool-tip by hovering over the status column of each
entry:
Time t-1
Time t-2
Authentication Result
User-Name=#CTSREQUEST#
State=ReauthSession:0a0164150000000050748C6D
Class=CACS:0a0164150000000050748C6D:ise-1/139170756/1
Termination-Action=RADIUS-Request
cisco-av-pair=cts:server-list=CTSServerList1-0001
cisco-av-pair=cts:security-group-tag=0000-00
cisco-av-pair=cts:environment-data-expiry=86400
cisco-av-pair=cts:security-group-table=0001-4
Authentication Result
User-Name=#CTSREQUEST#
State=ReauthSession:0a0164150000000150748C6D
Class=CACS:0a0164150000000150748C6D:ise-1/139170756/2
cisco-av-pair=cts:security-group-table=0001-4
cisco-av-pair=cts:security-group-info=0-0-00-Unknown
cisco-av-pair=cts:security-group-info=ffff-0-00-ANY
cisco-av-pair=cts:security-group-info=2-0-00-LOB_web_users
cisco-av-pair=cts:security-group-info=3-0-00-LOB_web_servers
This ASA context cx-ent has now the name-to-tag mapping of TrustSec security groups. We will use it in an ACL in later exercises.


Page 16 of 42
Lab Exercise 3: Campus-to-DC Configure SXP in Network Devices
EDCS-1224105
Lab Exercise 3: Campus-to-DC Configure SXP

in Network Devices
Currently ASA is not capable of in-line secure group tagging. Instead, it supports SGT Exchange
Protocol (SXP) and may learn secure group tags as an SXP listener. In this exercise you will
establish SXP communications between the ASA context cx-ent and its three peers -- 3k-access,
3k-data, and wlc.
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Step 1
Configure ASA context cx-ent as the SXP listener to peer with three other network devices
Configure 3k-access as the SXP peer for the ASA context cx-ent
Configure 3k-data as the SXP peer for the ASA context cx-ent
Load wlc with a configuration file and configure it as the SXP peer for the ASA context cx-ent
Configure ASA context cx-ent as the SXP listener

a. Back in the SSH session to the security context cx-ent on asa, provision the SXP
connectivity with the following CLI commands in configuration mode:
! set SXP default password
cts sxp default password ISEisC00L
! peer 10.1.29.2 3k-access SVI for VLAN 29
cts sxp connection peer 10.1.29.2 password default mode local listener
! peer 10.1.129.3 3k-data SVI for management
! peer 10.1.100.61 WLC management IP
! enable SXP
cts sxp enable
asa/cx-ent(config)# cts sxp default password ISEisC00L
asa/cx-ent(config)# cts sxp conn peer 10.1.29.2 password default mode local listener
asa/cx-ent(config)# cts sxp enable
asa/cx-ent#
Step 2
Configure SXP on 3k-access

a. Use putty to ssh to 3k-access as admin / ISEisC00L
b. Provision the SXP connectivity with the following CLI commands in configuration mode:
! peer 10.1.29.1 asa/cx-cnt campus IP
cts sxp connection peer 10.1.29.1 password default mode local
! enable SXP
cts sxp enable
3k-access# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
3k-access(config)#cts sxp default password ISEisC00L
3k-access(config)#cts sxp conn peer 10.1.29.1 password default mode local
3k-access(config)#cts sxp enable
Page 17 of 42
EDCS-1224105
3k-access(config)#end
3k-access#
c.
Verify the SXP connectivity with the following CLI command in exec mode:
show cts sxp connections brief
3k-access# show cts sxp connections brief

SXP
: Enabled
Default Password : Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is running
----------------------------------------------------------------------------Peer_IP
Source_IP
Conn Status
Duration
----------------------------------------------------------------------------10.1.29.1
10.1.29.2
On
3:10:28:54 (dd:hr:mm:sec)
Total num of SXP Connections = 1
3k-access#
Step 3
Configure SXP on 3k-data

a. Use putty to ssh to 3k-data as admin / ISEisC00L
! peer 10.1.129.1 asa/cx-ent web IP
! enable SXP
cts sxp enable
3k-data# configure terminal
3k-data(config)#cts sxp default password ISEisC00L
3k-data(config)#cts sxp conn peer 10.1.129.1 password default mode local
3k-data(config)#cts sxp enable
3k-data(config)#end
3k-data#
c.
3k-data# show cts sxp connections brief

SXP
: Enabled
----------------------------------------------------------------------------Peer_IP
Source_IP
Conn Status
Duration
----------------------------------------------------------------------------10.1.129.1
10.1.129.3
On
3:10:35:23 (dd:hr:mm:sec)
3k-data#
Page 18 of 42

Step 4
EDCS-1224105
Load WLC configuration for the lab

a. Login to WLC web interface https://wlc.demo.local as admin / ISEisC00L
b. Navigate to the top menu COMMANDS. Then, choose Download File from the left panel.
c.
In Download file to Controller page, fill in the form as below:

File Type
Configuration File Encryption
Transfer Mode
Server Details
IP Address
File Path
File Name
Server Login Username
Server Login Password
Server Port Number
Configuration
(unchecked)
FTP
10.1.100.6
/
p##-wlc-sgfw.txt
ftp
ftp
21
Note: The ## in p##-wlc-sgfw.txt is to be replaced with the assigned 2-digit pod number; e.g. p02-wlc-sgfw.txt for pod 02.
d. Click on the button Download to start the file transfer.

e. Wait for transfer and reset complete.
Note: WLC will reset after downloading configuration from an external file server. During the reset, use ping t wlc to monitor.
Step 5
Configure SXP on WLC

a. Use putty to ssh to wlc as admin / ISEisC00L
b. Provision the SXP connectivity with the following CLI commands:
config cts sxp default password ISEisC00L
! peer 10.1.29.1 asa/cx-cnt campus IP
config cts sxp connection peer 10.1.29.1
! enable SXP
config cts sxp enable
(Cisco Controller)
User: admin
Password: ISEisC00L
Cisco Controller) >config cts sxp default password ISEisC00L
Cisco Controller) >config cts sxp conn peer 10.1.29.1
Cisco Controller) >config cts sxp enable
Cisco Controller) >
Note: For configuring SXP via WLC web UI, see WLC Configuration Guide
http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_011
1111.html#ID4849
c.
Verify the SXP connectivity with the following CLI commands:

show cts sxp summary
show cts sxp connections
(Cisco Controller) >show cts sxp summary

Total num of SXP Connections.....................
SXP State........................................
SXP Mode.........................................
SXP Version......................................
Default Password.................................
Default Source IP................................
Connection retry open period ....................
1
Enable
Speaker
2
****
10.1.100.61
120
Page 19 of 42
EDCS-1224105
(Cisco Controller) >show cts sxp connections

Total num of SXP Connections..................... 1
SXP State........................................ Enable
Peer IP
Source IP
Connection Status
--------------------------------------------10.1.29.1
10.1.100.61
On
Step 6
Verify SXP peering status on ASA

a. Back in the SSH session to the security context cx-ent on asa, verify the SXP connectivity
with the following CLI command in exe mode:
asa/cx-ent# show cts sxp connections brief
SXP
: Enabled
Highest version
: 2
Default password : Set
Default local IP : Not Set
Reconcile period : 120 secs
Retry open period : 120 secs
Retry open timer : Running
Total number of SXP connections: 3
Total number of SXP connections shown: 3
--------------------------------------------------------------------------Peer IP
Local IP
Conn Status
Duration (dd:hr:mm:sec)
--------------------------------------------------------------------------10.1.29.2
10.1.29.1
On
0:00:02:24
10.1.100.61
10.1.29.1
On
0:00:27:29
10.1.129.3
10.1.129.1
On
0:00:00:24
asa/cx-ent#
Note: If the connection status with the wlc not becoming On after a long wait, it may be due to a known defect in WLC 7.2 and 7.3 --
CSCtx92968 WLC SXP peering with ASA after long (random) delay. The workaround is to toggle the SXP status off then on or to
delete then re-create the peer on the wlc.
This ASA context has now peered with three other network devices and shall receive the IP-SGT mappings from them.


Page 20 of 42
Lab Exercise 4: Campus-to-DC Source and Destination IP-SGT
EDCS-1224105
Lab Exercise 4: Campus-to-DC Source and

Destination IP-SGT
This exercise will show the ASA context cx-ent receives IP-SGT maps from the three peers and
uses them in ACL.
Exercise Objective
Step 1
Configure ISE to use security groups in the authorization policy.
Provision static IP-SGT binding on 3k-data.
Configure ASA ACL with security-group.
Access the ISE administrative web interface

a. Use Firefox on the admin PC, login https://ise-1.demo.local as admin / ISEisC00L
Step 2
Join to the Active Directory.

a. Go to Administration > Identity Management > External Identity Sources.
b. Pick Active Directory from the left-hand-side panel.
c.
Select ise-1 in the right-hand-side

connection tab.
d. If the status is Not Joined to

Domain, click Join with AD
domain admin credential admin /
ISEisC00L and click OK.
Wait for the operation status turns Completed before clicking Close to close the pop-up.
Step 3
Add AD Group LOB_web_users

a. Stay in Active Directory then click on the tab Groups
b. Click on Add and Select Group From Directory from the
drop-down menu
c.
In the pop-up window Select Directory Groups, use

LOB* as the filter and click on Retrieve Groups
d. Put a check mark to the item

demo.local/HCC/Groups/LOB_web_users and click
OK.
e. Click Save configuration so the external group is made available in the ActiveDirectory
system dictionary.
Page 21 of 42
Review the pre-configured authentication policy under Policy > Authentication as summarized
below. The modified elements from defaults are highlighted in Yellow.
Step 4
Status
Name
Condition
Protocols
MAB
IF Wired_MAB
OR
Wireless_MAB
allow
protocols
HostLookup
Dot1X
IF Wired_802.1X
OR
Wireless_802.1X
allow
protocols
PEAP-MSCHAPv2-o-TLS
EAP-TLS IF EAP-TLS
Step 5
EDCS-1224105
Identity Source Options

and use Internal Endpoints Reject
Continue
Drop
and use certAuthSCN
Default
and use demoAD
Default Rule
(if no match)
allow
protocols
Default Network Access
and use DenyAccess
Reject
Reject
Drop
Reject
Reject
Drop
Reject
Reject
Drop
Update Authorization Policy to return security group tags.
Note: We start with a set of preconfigured authorization rules for DOT1X and MAB, and then apply security tags on top of them.
a. Navigate to Policy > Authorization

b. For the rule demoAD access
i. Rule Name
Append LOB_web_users
ii. Other Conditions
Insert a new Attribute/Value condition with the expression, such that
Select the attribute demoAD:ExternalGroups,
Select the operator Equals, and
Select the right-hand-side value (drop-down) demo.local/HCC/Groups/LOB_web_users
iii. Add the security group LOB_web_users under the permissions column.
Note: LOB_web_users is one of the security groups created in Lab Exercise 1 Step 6
Status
Rule Name
Wireless Black List

Default
Profiled Cisco IP
Phones
Profiled Non Cisco
IP Phones
demoAD access
LOB_web_users
Identity Groups
Permissions
Wireless_Access
Blackhole_Wireless_Access
Cisco-IP-Phone
Cisco_ IP_Phones
Any
Non_Cisco_Profiled_Phones
Non_Cisco_IP_Phones
Any
Network Access:AuthenticationIdentityStore
EQUALS demoAD
AND
demoAD:ExternalGroups EQUALS
deomo.local/HCC/Groups/LOB_web_users
PermitAll
PermitInternet
Wireless_MAB
wlcCWA-noNSP
Wired_MAB
wiredCWA-noNSP
guest access
Wireless MAB
Guest
OR
ActivatedGuest
Any
Wired MAB
Any
Default
(no matches)
c.
Other Conditions
Blacklist
AND
LOB_web_users
DenyAccess
Click Save once all the changes are done.
Page 22 of 42
EDCS-1224105
ISE is now configured to provide a source security group tag when the rule AD Authenticated is matched.
Step 6
Configure static IP-SGT bindings for the servers on 3k-data

b. Provision the IP-SGT with the following CLI commands in configuration mode:
! map web server ip addresses to SG LOB_web_servers (tag=3)
! Only 10.1.129.12 (web) is used in the test. The others are optional.
cts role-based sgt-map 10.1.129.8 sgt 3
3k-data(config)#cts role-based sgt-map 10.1.129.8 sgt 3
3k-data(config)#end
3k-data#
Note: To verify the configured SGT map, issue EXEC mode CLI
show cts role-based sgt-map all
Step 7
Configure ACL on ASA context cx-ent

a. Back to the SSH session to the context cx-ent of ASA, add an ACL and apply it to the
interface campus with the following CLI commands in configuration mode:
! The 1st ACE below is all-in-one-line. (optionally) log so it shows in the logging.
access-list campus_in extended permit tcp security-group name LOB_web_users any security-group
name LOB_web_servers any eq www log
! Allow management VLAN
access-list campus_in extended permit ip 10.1.100.0 255.255.255.0 any
! Block other campus VLANs to DC
access-list campus_in extended deny ip 10.1.0.0 255.255.128.0 10.1.128.0 255.255.128.0
! Allow all others (Internet/DMZ)
access-list campus_in extended permit ip any any
! Apply it to campus
access-group campus_in in interface campus
asa/cx-ent(config)# access-list campus_in extended permit tcp security-group name LOB_web_users
any security-group name LOB_web_servers any eq www log
asa/cx-ent(config)# access-list campus_in extended permit ip 10.1.100.0 255.255.255.0 any
asa/cx-ent(config)# access-list campus_in extended deny ip 10.1.0.0 255.255.128.0 10.1.128.0
255.255.128.0
asa/cx-ent(config)# access-list campus_in extended permit ip any any
asa/cx-ent(config)# access-group campus_in in interface campus
asa/cx-ent#
b. Verify the SG name-to-tag mapping with the following CLI commands:

show access-list campus_in
asa/cx-ent# show access-list campus_in
access-list campus_in; 4 elements; name hash: 0x8fb64f40
access-list campus_in line 1 extended permit tcp security-group name LOB_web_users(tag=2) any
security-group name LOB_web_servers(tag=3) any eq www log informational interval 300 (hitcnt=0)
...
asa/cx-ent#
Note: LOB_web_users and LOB_web_servers are mapped into tag numbers.
Page 23 of 42

c.
EDCS-1224105
Configure buffered logging to see ACE hits in later steps.

logging buffered informational
logging timestamp
logging enable

asa/cx-ent(config)# logging buffered informational
asa/cx-ent(config)# logging timestamp
asa/cx-ent(config)# logging enable
asa/cx-ent#
Step 8
Test Wired access on w7pc-guest

a. Launch VMware client to connect the VMware host for the pod.
b. Power on p##-w7pc-guest, if off.
Note: The # in p##-w7pc-guest is the assigned 2-digit pod number; e.g. p22-w7pc-guest for pod 22.
c.
Access the console via the VMware client.
d. Login Windows as admin / ISEisC00L

e. On w7pc-guest, double click on the desktop short-cut w7pc-guest Network Connections.
Then, enable the w7pc-guest-wired connection by double-clicking on the icon.
f.
Establish the Wired Connection by ssh to 3k-access and no shut on the switch interface
g0/1. Wait for DOT1X auth timed out (~ 2 minutes) and fail over to MAB.
3k-access# show auth session

Interface
Gi0/1
MAC Address
0010.1888.27cc
Method
mab
Domain
DATA
Status
Authz Success
Session ID
0A01FA02000000060F952EE8
3k-access#
g. On w7pc-guest, launch Mozilla Firefox browser and browse to http://web.demo.local. This

shall redirect to the ISE Guest Portal.
Note: Accept/Confirm any browser certificate warnings or AUP (acceptable user policy) if present.
h. Once the guest portal login displayed, login as

employee1 / ISEisC00L
i.
After a successful guest login, reattempt access to http://web.demo.local.

In the pop-up Authentication Required
dialog box, enter
admin / ISEisC00L
as the web credential and hit OK.
Note: Stop once the login page of CTS DB Test is visible. We will login onto the test DB in the second part of the Lab.
Page 24 of 42

j.
EDCS-1224105
Review the ISE live log

i. Navigate to Operations > Authentications. LOB_web_users is applied after the guest
authenticated, as shown in the sample entries below:
Time
t-4
t-3
t-2
t-1
S Identity
employee1
Endpoint ID
AuthZ Profiles
Event
nn:nn:nn:nn:nn:nn PERMIT_ALL_TRAFFIC,LOB_web_users
Dynamic Auth
employee1
nn:nn:nn:nn:nn:nn
Guest Auth
nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn Wired_CWA
Auth
Session ID
nnnn
nnnn
nnnn
ii. Hover over to the status at Time t-4 to see

the authentication detail in the tool-tip. For
example,
User-Name=employee1
...
cisco-av-pair=cts:security-group-tag:0002-0
cisco-av-pair=profile-name=Windows7-Workstation
k.
Check sgt-map on 3k-access by CLI

3k-access# show cts role-based sgt-map all

Active IP-SGT Bindings Information
IP Address
SGT
Source
============================================
10.1.50.201
2
LOCAL
IP-SGT Active Bindings Summary
============================================
Total number of LOCAL
bindings = 1
Total number of active
bindings = 1
3k-access#
Note: 10.1.50.201 is the endpoint IP and may vary depending on the VLAN and DHCP assignments.
l.
Check the hit counts of ASA access-list

ASA will show the hit count (hitcnt) increasing for the matched entry.
asa/cx-ent# show access-list campus_in

...
access-list campus_in line 1 extended permit tcp security-group name LOB_web_users(tag=2) any
security-group name LOB_web_servers(tag=3) any eq www log informational interval 300 (hitcnt=6)
0x12947da7
...
asa/cx-ent# show logging | inc campus_in
...
%ASA-6-106100: access-list campus_in permitted tcp campus/10.1.10.101(50184)(2:LOB_web_users) ->
web/10.1.129.12(80)(3:LOB_web_servers) hit-cnt 1 first hit [0x12947da7, 0x0]
...
Note: As the logging buffer is limited, show logging might not give any matches if done a few minutes after the web access on the
endpoint.
m. Verify IP-SGT bindings on ASA that are learnt from all its peers and the accelerated security
patch (ASP)
show cts sgt-map (Control Plane command)
show asp table cts sgt-map (Data Path command)
Page 25 of 42
EDCS-1224105
asa/cx-ent# show cts sgt-map

IP Address
SGT
Source
================================================================
10.1.50.201
2
SXP
10.1.129.8
3
SXP
...
============================================
Total number of
SXP bindings = 6
Total number of
active bindings = 6
Total number of
shown bindings = 6
asa/cx-ent# show asp table cts sgt-map
IP Address
SGT
==============================================
10.1.129.8
3:LOB_web_servers
...
10.1.50.201
2:LOB_web_users
Total number of entries shown = 6
n. Verify IP-SGT bindings on ASA that are propagated via SXP

show cts sxp sgt-map detail
asa/cx-ent# show cts sxp sgt-map detail
Total number of IP-SGT mappings : 6
Total number of IP-SGT mappings shown: 6
SGT
IPv4
Peer IP
Ins Num
Status
:
:
:
:
:
3:LOB_web_servers
10.1.129.8
10.1.129.3
1
Active
...
SGT
:
IPv4
:
Peer IP
:
Ins Num
:
Status
:
asa/cx-ent#
2:LOB_web_users
10.1.50.201
10.1.29.2
1
Active
o. Leave w7pc-guest powered on. We will continue using it in later exercises.
Step 9
(Optional) Test Wireless access on iPad

a. Enable WLAN n-p##-TS-OPEN on wlc
i. Use putty and open ssh session to wlc
ii.
Issue the following CLI command:

config wlan enable 10
b. Click on the short-cut vnc-to-ipad on the taskbar to start a VNC session to the iPad.
c.
Press any key to continue, once prompt so.
Tips on controlling the iPad UI via VNC client:

Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track pad) Touch with two fingers on
the Track Pad If Secondary Click is configured.
Page 26 of 42
EDCS-1224105
Mouse: Mouse pointer mimics touching the iPad screen with one finger.
Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll
Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your local keyboard for input.
Note: The tab key is not available on the iPads virtual keyboard so you will have to move the pointer to the text field you want
to input text, and click on it.
d. On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if
present.
Note: If no profiles, you might not see the profiles menu option.
e. Next, go to Settings > Safari and hit Clear History as well as Clear Cookies and Data.
f.
Go to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi.
Note: Forget any networks the iPad automatically connects to them.
g. Select and connect to the network n-p##-TS-OPEN

Note: The ## in n-p##-TS-OPEN is to be replaced with the assigned 2-digit pod number; e.g. n-p22-TS-OPEN
h. Launch Mobile Safari app and browse to http://web.demo.local. This shall redirect to the ISE
Guest Portal.
Note: Accept/Confirm any browser certificate warnings or AUP (acceptable user policy) if present.
i.
Repeat previous step (8) h ~ n of this exercise to verify the Wireless access for the iPad.


Page 27 of 42
Lab Exercise 5: Campus-to-DC Use ASDM to Interact with ASA TrustSec Features
EDCS-1224105
Lab Exercise 5: Campus-to-DC Use ASDM to

Interact with ASA TrustSec Features
This lab covers the essential ASDM operations for TrustSec elements on an ASA.
Exercise Objective
In this exercise, your goal is to familiarize with basic ASDM operations for TrustSec. This includes
completion of the following tasks:
Step 1
Configure for PAC and SXP
Monitor for PAC, SXP, and SGT maps
Create ACL with security elements
Connect ASDM to ASA

a. On the admin-PC, double-click ASDM-IDM Launcher
on the desktop
b. Provide inputs as below:

Device IP Address / Name: asa.demo.local
Username:
admin
Password:
ISEisC00L
Run in Demo Mode (unchecked)
c. Click OK to connect.
Step 2
Switch to context cx-ent: In the device list on the left-hand-side panel, connect to cxent by double-clicking on the named context.
Step 3
Configure TrustSec properties using ASDM

a. Navigate to Configuration > Firewall > Identity by TrustSec
b. Verify the SXP peers, default source, default password, timers, Server Group.
Page 28 of 42
EDCS-1224105
c. (Optional, as already done via CLI in Exercise 2 Step 6) Click on Import PAC to import the
PAC from the local machine
d. (Optional) Check/un-check the checkbox next to Enable SGT Exchange Protocol (SXP) to
enable/disable SXP
e. Click Apply to effect the changes

Step 4
Monitoring TrustSec: Navigate to Monitoring > Properties > Identity by TrustSec

Click each item in turn to check
a. PAC - verify PAC installation
b. Environment Data - verify the
download of security group table
c.
SXP Connections - check SXP

connections with peers
d. IP Mappings - verify security group

IP mapping table
Step 5
Use ASDM to reconfigure Security

Group based policies
a. Go to Configuration > Firewall > Objects > Security Group Object Groups
b. Click on Add on the right-hand panel
c.
In the pop-up window Add Security Group Object Group, fill in
Group Name: demo-SG-ObjGroup

Click to highlight
LOB_web_servers in Existing
Security Groups
Click Add >> to add to
Members in Group
Click OK to close the pop-up.
d. Go to Configuration > Firewall > Access Rules

e. Click on the rule under interface campus and
hit Edit to work on the first ACE
f.
In the pop-up Edit Access Rule, click on the

browse icon next to Security Group text box
in the Destination Criteria.
g. In the pop-up Browse Security Group

window
Page 29 of 42
EDCS-1224105
<< Remove security group name LOB_web_servers
Add >> Existing Security Group Object Groups demo-SG-Obj-Group
Click OK to close the pop-up Browse Security Group
h. Click OK to close the pop-up Edit Access Rule.

i.
Step 6
Click Apply to send the changes to ASA.
Repeat Exercise 4 Step 7 to send traffic and verify the policies applied correctly.


Page 30 of 42
Part 2: Intra-DC SGFW Enforcement with ASA
EDCS-1224105
Part 2: Intra-DC SGFW Enforcement with ASA

Logical Topology

Part 2 covers a use case of using ASA to segment server-to-server communication within a data center
network. The goal is to allow a specific group of servers (LOB_web_servers) to access the data on
another (LOB_db_servers). ASA enforcement may be in either routed or transparent/bridge mode, or in
either single or multiple contexts. An ASA context in transparent mode is used in this part of exercises.

Page 31 of 42
Lab Exercise 6: Intra-DC Configure Network Devices and Security Groups in ISE
EDCS-1224105
Lab Exercise 6: Intra-DC Configure Network

Devices and Security Groups in ISE
This lab covers the ISE configurations to prepare ASA context cx-lob for RADIUS authentication
and retrieving TrustSec environment data. It also provisions the security groups used for IntraDC accesses.
Exercise Objective
In this exercise, your goal is to configure ASA as a network device in ISE so that it may receive
TrustSec security groups. This includes completion of the following tasks:
Step 1
Create a network device for ASA context cx-lob
Create TrustSec security groups

a. Login https://ise-1.demo.local as admin / ISEisC00L
Step 2
Add an ASA context cx-lob as a Network Access Device

a. Navigate to Administration > Network Resources > Network Devices
b. Click
Add with the values shown in the following table:

Attribute
Name
Description
IP Address
Model Name
Software Version
Device Type
Location
Value
cx-lob
10.1.129.2 / 32
ASA
GOLD-Lab
(see Note 1)
Advanced TrustSec Settings

Device Authentication Settings
Use Device ID for SGA
Device Id c x- lob
Password Anything
SGA Notifications and Updates
Download environment data
1 Days
every
Download peer authorization
1 Days
policy every
Reauthentication every 1 Days
Download SGACL lists every 1 Days
Other SGA devices to trust the
device
Notify this device about SGA
(see Note 2)
Page 32 of 42
Lab Exercise 6: Intra-DC Configure Network Devices and Security Groups in ISE
Attribute
configuration changes
Device Configuration Deployment
(None configured)
Out Of Band (OOB) SGA PAC
Issue Date
Expiration Date
Issue By
EDCS-1224105
Value
Generate PAC
Note 1: The Name (Device ID) must be the same as that of the context name in ASA. It is included in the PAC for ASA to
authenticate and retrieve the SG table from ISE.
Note 2: The device password is not used because ASA supports only OOB PAC provisioning but needs to be a valid and nonempty string in order to save the NAD object.
c.
In the section Out Of Band (OOB) SGA PAC, click Generate PAC. In the pop-up dialog
box, input ISEisC00L as the Encryption Key.
Identity
Encryption Key
PAC Time to Live
c x- lob
ISEisC00L
1 Years
Note: ASA uses this encryption key to import the PAC securely (Lab Exercise 2 Step 6).
d. Click on Generate PAC and save the resulting pac file to the default Downloads folder.
e. Click Submit when finished.
Note: If Submit does not work, log off and back into the ISE admin web interface and repeat Step 2 again.
Step 3
Create Security Groups

a. Go to Policy > Policy Elements > Results. In the left-hand-side panel, select Security
Group Access > Security Groups.
Note: ISE assigns SGT automatically by default. To manually assign SGTs, go to Administration > System > Settings, select
Security Group Access in the left-hand-side panel, and then select All tags are manually defined in the right panel.
b. Add security group LOB_db_servers

Add.
ii. Input LOB_db_servers into the Name field.

c.
The resulting Name-SGT table shall be similar to below:

Name
Unknown
LOB_web_users
LOB_web_servers
LOB_db_servers
SGT (Dec /Hex)

0 / 0000
2 / 0002
3 / 0003
4 / 0004
You are now done preparing the ISE for the ASA context cx-lob to download the TrustSec environment data.

Page 33 of 42
Lab Exercise 7: Intra-DC Configure ASA to download Security Group table
EDCS-1224105
Lab Exercise 7: Intra-DC Configure ASA to

download Security Group table
This exercise will show how to enable an ASA context to download the security group (name-totag) table from ISE.
Exercise Objective
In this exercise, your goal is to work a transparent context in ASA and configure it to download
TrustSec Security Group table from ISE:
Create an AAA server group and designate it as the TrustSec server
Import PAC and verify SG table download
Step 1
If disconnected, restart the putty ssh session to asa with the credentials admin / ISEisC00L
Step 2
At the prompt, enter the CLI command enable then give ISEisC00L as the enable password.
asa/cx-admin> enable
Password: ISEisC00L
asa/cx-admin#
Step 3
Change to the context cx-lob by CLI command changeto context cx-lob

asa# changeto context cx-lob
asa/cx-lob#
Step 9
Review the running-config of the network interfaces and routing with the following CLI
show run interface
show run route
asa/cx-lob# show run interface
!
interface BVI1
ip address 10.1.129.2 255.255.255.0
!
nameif web
bridge-group 1
security-level 8
!
nameif db
bridge-group 1
security-level 9
asa/cx-lob# show run route
route web 0.0.0.0 0.0.0.0 10.1.129.1 1
Step 4
Add AAA server group and host and designate it as the cts server group with the following CLI
aaa-server ts-ise protocol radius
aaa-server ts-ise (web) host 10.1.100.21
authentication-port 1812
accounting-port 1813
cts server-group ts-ise
Page 34 of 42
Lab Exercise 7: Intra-DC Configure ASA to download Security Group table
EDCS-1224105
asa/cx-lob# configure terminal

asa/cx-lob(config)# aaa-server ts-ise protocol radius
asa/cx-lob(config-aaa-server-group)# aaa-server ts-ise (web) host 10.1.100.21
asa/cx-lob(config-aaa-server-host)# authentication-port 1812
asa/cx-lob(config-aaa-server-host)# accounting-port 1813
asa/cx-lob(config-aaa-server-host)# cts server-group ts-ise
asa/cx-lob(config)# end
asa/cx-lob#
Step 5
On admin-PC, move the cx-lob.pac file from admins Downloads folder to C:\inetpub\ftproot\.
Then, proceed to import it at ASA:
cts import-pac ftp://10.1.100.6/cx-lob.pac password ISEisC00L
asa/cx-lob# cts import-pac ftp://10.1.100.6/cx-lob.pac password ISEisC00L
!PAC Imported Successfully
Step 6
Check PAC data and verify environment-data and SG table by:

show cts pac
show cts environment-data
show cts environment-data sg-table
asa/cx-lob# show cts pac
PAC-Info:
Valid until:
AID:
I-ID:
A-ID-Info:
PAC-type:
PAC-Opaque:
...
Aug 25 2013 23:42:16

0215c9b539f4f2f56a716ea5d4a04132
cx-lob
ise demo
Cisco Trustsec
Note: The initiator identifier (I-ID) is cx-lob and A-ID-Info is ise demo. The authority identifier (A-ID) is configured in Lab Exercise 1
Step 2. And, I-ID in Lab Exercise 6 Step 2.
asa/cx-lob# show cts environment-data
CTS Environment Data
====================
Status:
Active
Last download attempt:
Successful
Environment Data Lifetime: 86400 secs
Last update time:
04:00:14 UTC Aug 27 2012
Env-data expires in:
0:23:58:34 (dd:hr:mm:sec)
Env-data refreshes in:
0:23:48:34 (dd:hr:mm:sec)
Note: If the download fails, check ISE live log and the NAD configuration for ASA.
asa/cx-lob# show cts environment-data sg-table
Security Group Table:
Valid until: 04:00:14 UTC Aug 28 2012
Showing 6 of 6 entries
SG Name
------ANY
LOB_db_servers
LOB_web_servers
LOB_web_users
Unknown
SG Tag
-----65535
4
3
2
0
Type
------------unicast
unicast
unicast
unicast
unicast
This ASA context has now the TrustSec security group name-to-tag mapping. We will use it in ACL in later exercises.

Page 35 of 42
Lab Exercise 8: Intra-DC Configure SXP in Network Devices
EDCS-1224105
Lab Exercise 8: Intra-DC Configure SXP in

Network Devices
In this exercise you will establish the SXP communication between the ASA context cx-lob and
3k-data.
Exercise Objective
Step 1
Configure ASA context cx-lob as the SXP listener to peer with the switch 3k-data
Configure the switch 3k-data as the SXP peer for the ASA context cx-ent
Configure cx-lob as the SXP listener

a. Back in the SSH session to the context cx-lob of ASA, provision the SXP connectivity with
the following CLI commands in configuration mode:
! peer 10.1.129.3 3k-data SVI for VLAN 129
cts sxp enable
asa/cx-lob(config)# cts sxp default password ISEisC00L
asa/cx-lob(config)# cts sxp conn peer 10.1.129.3 password default mode local listener
asa/cx-lob(config)# cts sxp enable
asa/cx-lob#
Step 2
Configure SXP on 3k-data

! peer 10.1.129.2 asa/cx-lob web IP
Note: SXP default password is set and the SXP service enabled previously in Part 1 Exercise 3 Step 3.

3k-data(config)#cts sxp conn peer 10.1.129.2 password default mode local
3k-data(config)#end
3k-data#
c.
3k-data# show cts sxp connections brief

SXP
: Enabled
Page 36 of 42
EDCS-1224105
----------------------------------------------------------------------------Peer_IP
Source_IP
Conn Status
Duration
----------------------------------------------------------------------------10.1.129.1
10.1.129.3
On
3:10:35:23 (dd:hr:mm:sec)
10.1.129.2
10.1.129.3
On
0:00:38:33 (dd:hr:mm:sec)
3k-data#
This ASA context cx-lob has now peered with 3k-data and shall get the IP-SGT mapping from it.


Page 37 of 42
Lab Exercise 8: Intra-DC Source and Destination IP-SGT
EDCS-1224105
Lab Exercise 8: Intra-DC Source and

Destination IP-SGT
This exercise will show the switch 3k-data forwards its IP-SGT mappings to the ASA context cxlob and the ASA uses the security groups to enforce server-to-server communications.
Exercise Objective
Step 1
Provision static IP-SGT binding on 3k-data.
Configure ASA ACL with security-group.
Configure static IP-SGT binding on 3k-data

b. Provision the static IP-SGT binding with the following CLI command in configuration mode:
! map a db server ip address to SGT LOB_db_servers (tag=4)

3k-data(config)#end
3k-data#
c.
Verify the static IP-SGT binding with the following CLI command in exec mode
3k-data# show cts role-based sgt-map all

IP Address
SGT
Source
============================================
10.1.129.8
3
CLI
...
10.1.129.20
4
CLI
============================================
Total number of CLI
bindings = 6
Total number of active
bindings = 6
Step 2
Configure an ACL on ASA context cx-lob

a. Back in the SSH session to the context cx-lob of ASA, add an ACL and apply it to the
interface web with the following CLI commands in configuration mode:
! add an ACL
! This ACL has only one ACE and all in one-line.
access-list web_in extended permit tcp security-group name LOB_web_servers any security-group
name LOB_db_servers any eq 3306 log
! Apply it to web
access-group web_in in interface web
Page 38 of 42
EDCS-1224105

asa/cx-lob(config)# access-list web_in extended permit tcp security-group name LOB_web_servers
any security-group name LOB_db_servers any eq 3306 log
asa/cx-lob(config)# access-group web_in in interface web
asa/cx-lob#
b. Verify the SG name-to-tag mapping with the following CLI command:

show access-list web_in
asa/cx-lob# show access-list web_in
access-list web_in; 2 elements; name hash: 0x732a90f6
access-list web_in line 1 extended permit tcp security-group name LOB_web_servers(tag=3) any
security-group name LOB_db_servers(tag=4) any eq 3306 log informational interval 300 (hitcnt=0)
0x8193d619
asa/cx-lob#
Note: LOB_web_servers and LOB_db_servers are both associated with tag numbers in parentheses.
c.
Configure buffered logging to see ACE hits in later steps.

logging buffered informational
logging timestamp
logging enable

asa/cx-lob(config)# logging buffered informational
asa/cx-lob(config)# logging timestamp
asa/cx-lob(config)# logging enable
asa/cx-lob#
Step 3
Test on w7pc-guest
a. Switch back to the console of w7pc-guest via the VMware client.
b. If needed, login again at Windows as admin / ISEisC00L
c.
If the network connection disconnected, re-authenticate using either Wired or Wireless as in

Exercise 4 Step 8 or 9.
d. Launch Mozilla Firefox browser, go to http://web.demo.local, and, if needed, re-authenticate

to the web site as admin / ISEisC00L
e. At the CTS DB Test login page, enter the following info before hitting Go
Log in
Username:
Password:
Server Choice
f.
admin
ISEisC00L
TS TEST DB
Check the hit counts of ASA access-list

ASA will show the hit count (hitcnt) increasing for the matched entry.
asa/cx-lob# show access-list web_in

...
access-list web_in line 1 extended permit tcp security-group name LOB_web_servers(tag=3) any
security-group name LOB_db_servers(tag=4) any eq 3306 log informational interval 300 (hitcnt=3)
0x8193d619
asa/cx-lob# show logging | inc web_in
...
%ASA-6-106100: access-list web_in permitted tcp app/10.1.129.12(43838)(4:LOB_web_servers) ->
db/10.1.129.20(3306)(5:LOB_db_servers) hit-cnt 1 first hit [0x8193d619, 0x0]
...
Page 39 of 42
EDCS-1224105
g. Verify IP-SGT bindings on ASA that are learnt from all its peers and the accelerated security
patch (ASP)
show cts sgt-map (Control Plane command)
show asp table cts sgt-map (Data Path command)
asa/cx-lob# show cts sgt-map

IP Address
SGT
Source
================================================================
10.1.129.8
3
SXP
...
10.1.129.20
4
SXP
============================================
Total number of
SXP bindings = 6
Total number of
active bindings = 6
Total number of
shown bindings = 6
asa/cx-lob# show asp table cts sgt-map
IP Address
SGT
==============================================
10.1.129.8
3:LOB_web_servers
...
10.1.129.20
4:LOB_db_servers
Total number of entries shown = 6
asa/cx-lob#
h. Verify IP-SGT bindings on ASA that are propagated via SXP

show cts sxp sgt-map detail
asa/cx-lob# show cts sxp sgt-map detail

Total number of IP-SGT mappings : 6
Total number of IP-SGT mappings shown: 6
SGT
IPv4
Peer IP
Ins Num
Status
:
:
:
:
:
3
10.1.129.8
10.1.129.1
1
Active
...
SGT
:
IPv4
:
Peer IP
:
Ins Num
:
Status
:
asa/cx-lob#
i.
4
10.1.129.20
10.1.129.1
1
Active
Power off w7pc-guest when done.

End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.
Page 40 of 42
EDCS-1224105
Appendix A: Creating a transparent firewall context

In this lab, all the ASA contexts are created in advance. For your reference, here are the steps to create
the transparent context cx-lob:
Step 1
Change to the system space by CLI command changeto system

asa/cx-admin# changeto system
asa#
Step 2
Create a new context cx-lob with the following CLI commands in configuration mode:
context cx-lob
allocate-interface GigabitEthernet0/2
config-url disk0:/cx-lob.cfg
exit
no shut
no shut
asa# configure terminal
asa(config)# context cx-lob
Creating context 'cx-lob... Done. (5)
asa(config-ctx)#
asa(config-ctx)#
asa(config-ctx)# config-url disk0:/cx-lob.cfg
WARNING: Could not fetch the URL disk0:/cx-lob.cfg
INFO: Creating context with default config
asa(config)# interface gigabitEthernet 0/2
asa(config-if)# no shut
asa(config-if)# interface gigabitEthernet 0/3
asa(config-if)# no shut
asa(config)# end
asa#
Step 3
Change to the new context cx-lob by CLI command changeto context cx-lob
asa# changeto context cx-lob
asa/cx-lob#
Step 4
Update the firewall mode and the interfaces with the following CLI commands in configuration
mode:
! Change to transparent mode
firewall transparent
!
interface BVI1
ip address 10.1.129.2 255.255.255.0
!
nameif web
bridge-group 1
security-level 9
!
nameif db
bridge-group 1
security-level 10
!
! default gateway to ASA cx-ents web interface
route web 0.0.0.0 0.0.0.0 10.1.129.1 1
asa/cx-lob(config)# firewall transparent
asa/cx-lob(config)# interface BVI1
asa/cx-lob(config-if)# ip address 10.1.129.2 255.255.255.0
asa/cx-lob(config-if)# exit
asa/cx-lob(config)# interface GigabitEthernet0/2
asa/cx-lob(config-if)# nameif web
Page 41 of 42
EDCS-1224105
asa/cx-lob(config-if)# brige-group 1
asa/cx-lob(config-if)# security-level 9
asa/cx-lob(config-if)# !
asa/cx-lob(config)# interface GigabitEthernet0/3
asa/cx-lob(config-if)# nameif db
asa/cx-lob(config-if)# brige-group 1
asa/cx-lob(config-if)# security-level 10
asa/cx-lob(config-if)# !
asa/cx-lob(config-if)# route web 0.0.0.0 0.0.0.0 10.1.129.1 1
asa/cx-lob#
Page 42 of 42

Ts SGFW Asa Lab Guide 2013 09 13 PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Ts SGFW Asa Lab Guide 2013 09 13 PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Lab Overview

Cisco TrustSec Secure Group

Part 2 Intra-DC SGFW Enforcement with ASA

9/13/13 10:10 PM US/Pacific

9/13/13 10:10 PM US/Pacific

Lab IP and VLANs

Lab IP and VLANs

Access Switch (3560X)

Data Center Switch (3560CG)

Wireless LAN Controller (2504)

Wireless Access Point (2602i)

ISE Feed Server

Admin (Management) Client

(also FTP Server)

Internal VLANs and IP Subnets

Authenticated users or access network using ACLs

Microsoft machine-authenticated devices (L3

Interconnect subnet between ASA and Access switch

Unauthenticated or non-compliant devices (L3

Network for authenticated and compliant guest users

9/13/13 10:10 PM US/Pacific

Connecting to Lab Devices

Network services (AAA, AD, DNS, DHCP, etc.)

Line-of-business Web servers

Line-of-business Database servers

Accounts and Passwords

Access Switch (3560X)

Data Center Switch (3560X)

Wireless LAN Controller (2504)

Admin (Management) Client

(Local = W7PC-guest or W7PC-corp)

Connecting to Lab Devices

Launch the Remote Desktop application on your system.

9/13/13 10:10 PM US/Pacific

Connecting to Lab Devices

All lab configurations can be performed from the Admin PC.

Connect to ESXi Server and Virtual Machines

To access the VM console,

9/13/13 10:10 PM US/Pacific

Pre-Lab Setup Instructions

Connect to Lab Devices

From the Admin client PC, right click on the

If the device name present in the saved

If prompted, click Yes to cache the server

Login using the credentials listed in the

Pre-Lab Setup Instructions

9/13/13 10:10 PM US/Pacific

Pre-Lab Setup Instructions

Basic ISE Configuration

Access the ISE administrative web interface.

Note: Accept/Confirm any browser certificate warnings if present.

Login with username admin and password ISEisC00L

Join to the Active Directory.

Click Join with AD domain admin credentials: administrator / ISEisC00L

Disable log collection suppression

9/13/13 10:10 PM US/Pacific

Pre-Lab Setup Instructions

iii. Click Save when done.

9/13/13 10:10 PM US/Pacific

Part 1: Campus-to-DC SGFW Enforcement with ASA

Part 1: Campus-to-DC SGFW Enforcement with

9/13/13 10:10 PM US/Pacific

Lab Exercise 1: Campus-to-DC Configure