Documente Academic
Documente Profesional
Documente Cultură
EDCS-1224105
Lab Overview
This lab is designed to help attendees understand the basics in deploying Cisco TrustSec Security
Group Firewall (SGFW) with Adaptive Security Appliance (ASA) and Identity Services Engine (ISE). Lab
participants should be able to complete the lab within the allotted time of 3 hours.
Lab Exercises
This lab guide includes the following exercises:
Part 1 Campus-to-DC SGFW Enforcement with ASA
Lab Exercise 1 : Campus-to-DC Configure Network Devices and Security Groups in ISE
Lab Exercise 2 : Campus-to-DC Configure ASA to download Security Group table
Lab Exercise 3 : Campus-to-DC Configure SXP in Network Devices
Lab Exercise 4 : Campus-to-DC Source and Destination IP-SGT
Lab Exercise 5 : Campus-to-DC Use ASDM to interact with ASA TrustSec features
Lab Exercise 6 : Intra-DC Configure Network Devices and Security Groups in ISE
Lab Exercise 7 : Intra-DC Configure ASA to download Security Group table
Lab Exercise 8 : Intra-DC Configure SXP in Network Devices
Lab Exercise 9 : Intra-DC Source and Destination IP-SGT
TS_SGFW-ASA_Lab_Guide.docx
Page 1 of 42
Product Overview
EDCS-1224105
Product Overview
The Cisco Secure Access and TrustSec is the Borderless Network access control solution, providing
visibility into and control over devices and users in the network.
Within this solution, Cisco Identity Service Engine (ISE) is a context aware identity-based platform that
gathers real-time information from the network, users, and devices. ISE then uses this information to
make proactive governance decisions by enforcing policy across the network infrastructure utilizing built
in standard based controls. Cisco ISE offers:
Security: Secures your network by providing real-time visibility into and control over the users and
devices on your network.
Compliance: Enables effective corporate governance by creating consistent policy across an
infrastructure.
Efficiency: Helps increase IT and network staff productivity by automating traditionally labor-intensive
tasks and streamlining service delivery.
Enablement: Allows IT to support a range of new business initiatives, such as bring your own device
(BYOD), through policy-enabled services.
Lab Topology
TS_SGFW-ASA_Lab_Guide.docx
Page 2 of 42
EDCS-1224105
Name/Hostname
IP Address
3k-access.demo.local
10.1.100.1
3k-data.demo.local
10.1.129.3
wlc.demo.local
10.1.100.61
ap.demo.local
10.1.90.x/24 (DHCP)
ASA (5515-X)
asa.demo.local
10.1.100.2
ISE Appliance
ise-1.demo.local
10.1.100.21
ise-feedserver.demo.local
10.1.100.41
AD (AD/CS/DNS/DHCP)
ad.demo.local
10.1.100.10
NTP Server
ntp.demo.local
128.107.212.175
MobileIron
mobileiron.demo.local
10.1.100.15
mail.demo.local
10.1.100.40
LOB Web
lob-web.demo.local
10.1.129.12
portal.demo.local, updates.demo.local
10.1.129.8
business.demo.local
10.1.129.9
it.demo.local
10.1.129.10
records.demo.local
10.1.129.11
LOB DB
lob-db.demo.local
10.1.129.20
admin.demo.local
10.1.100.6
ftp.demo.local
Windows 7 Client PC
w7pc-guest.demo.local
10.1.50.x/24 (DHCP)
VLAN Name
IP Subnet
Description
10
ACCESS
10.1.10.0/24
20
MACHINE
10.1.20.0/24
IC-ASA-ACCESS
10.1.29.0/24
30
QUARANTINE
10.1.30.0/24
40
VOICE
10.1.40.0/24
Voice VLAN
50
GUEST
10.1.50.0/24
90
AP
10.1.90.0/24
Wireless AP VLAN
(29)
TS_SGFW-ASA_Lab_Guide.docx
Page 3 of 42
Note:
EDCS-1224105
VLAN
VLAN Name
IP Subnet
Description
100
Management
10.1.100.0/24
129
WEB
10.1.129.0/24
130
DB
10.1.130.0/24
Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity,
profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. The labs will
focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement.
Access To
Account (username/password)
admin / ISEisC00L
admin / ISEisC00L
admin / ISEisC00L
ASA (5515-X)
admin / ISEisC00L
ISE Appliances
admin / ISEisC00L
AD (CS/DNS/DHCP/DHCP)
admin / ISEisC00L
Web Servers
admin / ISEisC00L
admin / ISEisC00L
Windows 7 Client
W7PC-guest\admin / ISEisC00L
DEMO\admin / ISEisC00L
(Domain = DEMO)
DEMO\employee1 / ISEisC00L
To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for
access to all the other lab components
Note:
Admin PC access is through RDP, therefore you must have an RDP client installed on your computer
Connect to a POD
Step 1
TS_SGFW-ASA_Lab_Guide.docx
Page 4 of 42
Note:
Note:
EDCS-1224105
Clicking on this option should launch your RDP client and connect you to the Admin PC.
Login as admin / ISEisC00L
From the Admin client PC, click the VMware vSphere Client icon on the desktop
Step 2
Once logged in, you will see a list of VMs that are available on your ESXi server:
Step 3
You have the ability to power on, power off, or open the console (view) these VMs. To do so,
place the mouse cursor over VM name in the left-hand pane and right-click to select one of
these options.
Step 4
TS_SGFW-ASA_Lab_Guide.docx
Page 5 of 42
EDCS-1224105
To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:
Step 2
Step 3
Step 4
The ping test may fail for VMs that have not yet completed the boot process.
TS_SGFW-ASA_Lab_Guide.docx
Page 6 of 42
EDCS-1224105
Note: If the join fails due to clock skew, use putty ssh to ise-1 admin CLI and issue show ntp and show clock to check if the ntp
service is working. The ntp service may be corrected by a reload of ise-1 or a reset the VM.
Step 3
TS_SGFW-ASA_Lab_Guide.docx
Page 7 of 42
EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx
Page 8 of 42
EDCS-1224105
Part
1
covers
a
common
use
case
of
using
ASA
to
gauge
the
network
accesses
from
a
campus
network
to
a
data
center
network.
The
goal
is
to
allow
a
specific
group
of
users
(LOB_web_users)
in
the
campus
to
reach
the
web
sites
inside
the
data
center.
ASA
enforcement
may
be
in
either
routed
or
transparent
mode,
and
in
either
single
or
multiple
contexts.
An
ASA
context
in
routed
mode
is
presented
here.
TS_SGFW-ASA_Lab_Guide.docx
Page 9 of 42
Lab Exercise 1: Campus-to-DC Configure Network Devices and Security Groups in ISE
EDCS-1224105
Exercise Objective
In this exercise, your goal is to configure ASA as a network device, in receiving Cisco TrustSec
environment data, in additions to the access level switch and WLC. This includes completion of
the following tasks:
Step 4
b. Login with username admin and password ISEisC00L . The ISE Dashboard should
display. Navigate the interface using the multi-level menus.
TS_SGFW-ASA_Lab_Guide.docx
Page 10 of 42
Lab Exercise 1: Campus-to-DC Configure Network Devices and Security Groups in ISE
Step 5
EDCS-1224105
Step 6
Click Save.
Verify the Wireless LAN Controller configured as a Network Access Device in ISE
a. Navigate to Administration > Network Resources > Network Devices
b. Under Network Devices in the right-hand panel, select wlc.
c.
Check this network device pre-configured with the values shown in the following table:
Attribute
Name
Description
IP Address
Model Name
Software Version
Device Type
Location
Authentication Settings
Protocol
Shared Secret
Value
wlc
10.1.100.61 / 32
WLC
GOLD-Lab
RADIUS
ISEisC00L
Step 7
Verify the access switch 3k-access configured as a Network Access Device in ISE
a. Go back up to the Network Device List
at Administration > Network
Resources > Network Devices by
clicking on its breadcrumb hyperlink
TS_SGFW-ASA_Lab_Guide.docx
Page 11 of 42
Lab Exercise 1: Campus-to-DC Configure Network Devices and Security Groups in ISE
c.
EDCS-1224105
Check this network device is preconfigured with the values shown in the following table:
Attribute
Name
Description
IP Address
Model Name
Software Version
Device Type
Location
Authentication Settings
Protocol
Shared Secret
Value
3k-access
10.1.100.1 / 32
IOS-SW
GOLD-Lab
RADIUS
ISEisC00L
Attribute
Name
Description
IP Address
Model Name
Software Version
Device Type
Location
Value
(see Note 1)
cx-ent
10.1.29.1 / 32
ASA
GOLD-Lab
Device Id c x- e nt
Password Anything
SGA Notifications and Updates
Download environment data
1 Days
every
Download peer authorization
1 Days
policy every
Reauthentication every 1 Days
Download SGACL lists every 1 Days
Other SGA devices to trust the
device
Notify this device about SGA
configuration changes
Device Configuration Deployment
(None configured)
TS_SGFW-ASA_Lab_Guide.docx
(see Note 2)
Page 12 of 42
Lab Exercise 1: Campus-to-DC Configure Network Devices and Security Groups in ISE
Attribute
Out Of Band (OOB) SGA PAC
Issue Date
Expiration Date
Issue By
EDCS-1224105
Value
Generate PAC
Note 1: The Name (Device ID) must be the same as the context name in ASA, which we will review in Lab Exercise 2. It is included
in the PAC for ASA to authenticate and retrieve the SG table from ISE
Note 2: The device password is not used because ASA supports only OOB PAC provisioning but needs to be a valid and nonempty string in order to save the NAD object.
c.
In the section Out Of Band (OOB) SGA PAC, click Generate PAC. In the pop-up dialog
box, input ISEisC00L as the Encryption Key.
Identity
Encryption Key
PAC Time to Live
c x- e nt
ISEisC00L
1 Years
Note: ASA uses this encryption key to import the PAC securely (Lab Exercise 2 Step 6).
d. Click on Generate PAC. In the pop-up window Opening cx-ent.pac of the Firefox browser,
click OK to accept the default Save File option to save the resulting pac file to the default
Downloads folder.
e. Click Submit when finished.
Step 9
Note: ISE assigns SGT automatically by default. To manually assign SGTs, go to Administration > System > Settings, select
Security Group Access in the left-hand-side panel, and then select All tags are manually defined in the right panel.
Add.
Add.
You are now done preparing the ISE for the ASA context to download the TrustSec environment data.
TS_SGFW-ASA_Lab_Guide.docx
Page 13 of 42
EDCS-1224105
Exercise Objective
In this exercise, your goal is to work on a routed firewall context in ASA and configure it to
download TrustSec Security Group table from ISE:
Step 1
Step 2
At the prompt, enter the CLI command enable then give ISEisC00L as the enable password.
asa/cx-admin> enable
Password: ISEisC00L
asa/cx-admin#
Step 3
Step 4
Review the running-config of the network interfaces and routing with the following CLI
commands in configuration mode:
show run interface
show run route
asa/cx-ent# show run interface
interface GigabitEthernet0/0
nameif campus
security-level 29
ip address 10.1.29.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif web
security-level 100
ip address 10.1.129.1 255.255.255.0
!
interface GigabitEthernet0/5
nameif internet
security-level 0
ip address n0.n1.n2.n3 255.255.255.128
asa/cx-ent# show run route
route internet 0.0.0.0 0.0.0.0 n0.n1.n2.129 1
route campus 10.1.0.0 255.255.128.0 10.1.29.2 1
TS_SGFW-ASA_Lab_Guide.docx
Page 14 of 42
EDCS-1224105
Create AAA server group ts-ise, add ISE as the host, then designate it as the CTS server group
with the following CLI commands in configuration mode:
aaa-server ts-ise protocol radius
aaa-server ts-ise (campus) host 10.1.100.21
authentication-port 1812
accounting-port 1813
cts server-group ts-ise
asa/cx-ent# configure terminal
asa/cx-ent(config)# aaa-server ts-ise protocol radius
asa/cx-ent(config-aaa-server-group)# aaa-server ts-ise (campus) host 10.1.100.21
asa/cx-ent(config-aaa-server-host)# authentication-port 1812
asa/cx-ent(config-aaa-server-host)# accounting-port 1813
asa/cx-ent(config-aaa-server-host)# cts server-group ts-ise
asa/cx-ent(config)# end
asa/cx-ent#
Step 6
On the admin PC, move the cx-ent.pac file from admins Downloads folder to
C:\inetpub\ftproot\ on the admin PC. Then, import it into cx-ent:
cts import-pac ftp://10.1.100.6/cx-ent.pac password ISEisC00L
asa/cx-ent# cts import-pac ftp://10.1.100.6/cx-ent.pac password ISEisC00L
!PAC Imported Successfully
asa/cx-ent#
Step 7
Note: The initiator identifier (I-ID) is cx-ent and A-ID-Info is ise demo. The authority identifier (A-ID) is configured in Lab Exercise 1
Step 2. And, I-ID in Lab Exercise 1 Step 5.
asa/cx-ent# show cts environment-data
CTS Environment Data
====================
Status:
Active
Last download attempt:
Successful
Environment Data Lifetime: 86400 secs
Last update time:
04:00:14 UTC Aug 27 2012
Env-data expires in:
0:23:58:34 (dd:hr:mm:sec)
Env-data refreshes in:
0:23:48:34 (dd:hr:mm:sec)
Note: If the download fails, check ISE live log and the NAD configuration for ASA.
To refresh or retry the download, use this command:
cts refresh environment-data
TS_SGFW-ASA_Lab_Guide.docx
Page 15 of 42
EDCS-1224105
Step 8
SG Tag
-----65535
3
2
0
Type
------------unicast
unicast
unicast
unicast
Check ISE live authentication records for SG table download by the ASA
a. Switch to ISE admin web interface at the Firefox browser on the admin-PC
b. Re-login as admin / ISEisC00L if the session times out
c.
Event
CTS Data Download Succeeded
CTS Data Download Succeeded
ii. The authentication results are in the tool-tip by hovering over the status column of each
entry:
Time t-1
Time t-2
Authentication Result
User-Name=#CTSREQUEST#
State=ReauthSession:0a0164150000000050748C6D
Class=CACS:0a0164150000000050748C6D:ise-1/139170756/1
Termination-Action=RADIUS-Request
cisco-av-pair=cts:server-list=CTSServerList1-0001
cisco-av-pair=cts:security-group-tag=0000-00
cisco-av-pair=cts:environment-data-expiry=86400
cisco-av-pair=cts:security-group-table=0001-4
Authentication Result
User-Name=#CTSREQUEST#
State=ReauthSession:0a0164150000000150748C6D
Class=CACS:0a0164150000000150748C6D:ise-1/139170756/2
Termination-Action=RADIUS-Request
cisco-av-pair=cts:security-group-table=0001-4
cisco-av-pair=cts:security-group-info=0-0-00-Unknown
cisco-av-pair=cts:security-group-info=ffff-0-00-ANY
cisco-av-pair=cts:security-group-info=2-0-00-LOB_web_users
cisco-av-pair=cts:security-group-info=3-0-00-LOB_web_servers
This ASA context cx-ent has now the name-to-tag mapping of TrustSec security groups. We will use it in an ACL in later exercises.
Page 16 of 42
EDCS-1224105
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Step 1
Configure ASA context cx-ent as the SXP listener to peer with three other network devices
Configure 3k-access as the SXP peer for the ASA context cx-ent
Configure 3k-data as the SXP peer for the ASA context cx-ent
Load wlc with a configuration file and configure it as the SXP peer for the ASA context cx-ent
Step 2
TS_SGFW-ASA_Lab_Guide.docx
Page 17 of 42
EDCS-1224105
3k-access(config)#end
3k-access#
c.
Verify the SXP connectivity with the following CLI command in exec mode:
show cts sxp connections brief
Step 3
c.
Verify the SXP connectivity with the following CLI command in exec mode:
show cts sxp connections brief
TS_SGFW-ASA_Lab_Guide.docx
Page 18 of 42
EDCS-1224105
Configuration
(unchecked)
FTP
10.1.100.6
/
p##-wlc-sgfw.txt
ftp
ftp
21
Note: The ## in p##-wlc-sgfw.txt is to be replaced with the assigned 2-digit pod number; e.g. p02-wlc-sgfw.txt for pod 02.
Step 5
Note: For configuring SXP via WLC web UI, see WLC Configuration Guide
http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_011
1111.html#ID4849
c.
TS_SGFW-ASA_Lab_Guide.docx
1
Enable
Speaker
2
****
10.1.100.61
120
Page 19 of 42
EDCS-1224105
Step 6
Note: If the connection status with the wlc not becoming On after a long wait, it may be due to a known defect in WLC 7.2 and 7.3 --
CSCtx92968 WLC SXP peering with ASA after long (random) delay. The workaround is to toggle the SXP status off then on or to
delete then re-create the peer on the wlc.
This ASA context has now peered with three other network devices and shall receive the IP-SGT mappings from them.
TS_SGFW-ASA_Lab_Guide.docx
Page 20 of 42
EDCS-1224105
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Step 1
Step 2
Wait for the operation status turns Completed before clicking Close to close the pop-up.
Step 3
TS_SGFW-ASA_Lab_Guide.docx
Page 21 of 42
Review the pre-configured authentication policy under Policy > Authentication as summarized
below. The modified elements from defaults are highlighted in Yellow.
Step 4
Status
Name
Condition
Protocols
MAB
IF Wired_MAB
OR
Wireless_MAB
allow
protocols
HostLookup
Dot1X
IF Wired_802.1X
OR
Wireless_802.1X
allow
protocols
PEAP-MSCHAPv2-o-TLS
EAP-TLS IF EAP-TLS
Step 5
EDCS-1224105
Default
Default Rule
(if no match)
allow
protocols
Reject
Reject
Drop
Reject
Reject
Drop
Reject
Reject
Drop
Note: We start with a set of preconfigured authorization rules for DOT1X and MAB, and then apply security tags on top of them.
Status
Rule Name
Identity Groups
Permissions
Wireless_Access
Blackhole_Wireless_Access
Cisco-IP-Phone
Cisco_ IP_Phones
Any
Non_Cisco_Profiled_Phones
Non_Cisco_IP_Phones
Any
Network Access:AuthenticationIdentityStore
EQUALS demoAD
AND
demoAD:ExternalGroups EQUALS
deomo.local/HCC/Groups/LOB_web_users
PermitAll
PermitInternet
Wireless_MAB
wlcCWA-noNSP
Wired_MAB
wiredCWA-noNSP
guest access
Wireless MAB
Guest
OR
ActivatedGuest
Any
Wired MAB
Any
Default
(no matches)
c.
Other Conditions
Blacklist
AND
LOB_web_users
DenyAccess
TS_SGFW-ASA_Lab_Guide.docx
Page 22 of 42
EDCS-1224105
ISE is now configured to provide a source security group tag when the rule AD Authenticated is matched.
Step 6
Note: To verify the configured SGT map, issue EXEC mode CLI
show cts role-based sgt-map all
Step 7
! The 1st ACE below is all-in-one-line. (optionally) log so it shows in the logging.
access-list campus_in extended permit tcp security-group name LOB_web_users any security-group
name LOB_web_servers any eq www log
! Allow management VLAN
access-list campus_in extended permit ip 10.1.100.0 255.255.255.0 any
! Block other campus VLANs to DC
access-list campus_in extended deny ip 10.1.0.0 255.255.128.0 10.1.128.0 255.255.128.0
! Allow all others (Internet/DMZ)
access-list campus_in extended permit ip any any
! Apply it to campus
access-group campus_in in interface campus
asa/cx-ent# configure terminal
asa/cx-ent(config)# access-list campus_in extended permit tcp security-group name LOB_web_users
any security-group name LOB_web_servers any eq www log
asa/cx-ent(config)# access-list campus_in extended permit ip 10.1.100.0 255.255.255.0 any
asa/cx-ent(config)# access-list campus_in extended deny ip 10.1.0.0 255.255.128.0 10.1.128.0
255.255.128.0
asa/cx-ent(config)# access-list campus_in extended permit ip any any
asa/cx-ent(config)# access-group campus_in in interface campus
asa/cx-ent(config)# end
asa/cx-ent#
TS_SGFW-ASA_Lab_Guide.docx
Page 23 of 42
EDCS-1224105
Step 8
Note: The # in p##-w7pc-guest is the assigned 2-digit pod number; e.g. p22-w7pc-guest for pod 22.
c.
Establish the Wired Connection by ssh to 3k-access and no shut on the switch interface
g0/1. Wait for DOT1X auth timed out (~ 2 minutes) and fail over to MAB.
MAC Address
0010.1888.27cc
Method
mab
Domain
DATA
Status
Authz Success
Session ID
0A01FA02000000060F952EE8
3k-access#
i.
Note: Stop once the login page of CTS DB Test is visible. We will login onto the test DB in the second part of the Lab.
TS_SGFW-ASA_Lab_Guide.docx
Page 24 of 42
EDCS-1224105
Time
t-4
t-3
t-2
t-1
S Identity
employee1
Endpoint ID
AuthZ Profiles
Event
nn:nn:nn:nn:nn:nn PERMIT_ALL_TRAFFIC,LOB_web_users
Dynamic Auth
employee1
nn:nn:nn:nn:nn:nn
Guest Auth
nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn Wired_CWA
Auth
Session ID
nnnn
nnnn
nnnn
k.
l.
m. Verify IP-SGT bindings on ASA that are learnt from all its peers and the accelerated security
patch (ASP)
show cts sgt-map (Control Plane command)
show asp table cts sgt-map (Data Path command)
TS_SGFW-ASA_Lab_Guide.docx
Page 25 of 42
EDCS-1224105
:
:
:
:
:
3:LOB_web_servers
10.1.129.8
10.1.129.3
1
Active
...
SGT
:
IPv4
:
Peer IP
:
Ins Num
:
Status
:
asa/cx-ent#
2:LOB_web_users
10.1.50.201
10.1.29.2
1
Active
Step 9
b. Click on the short-cut vnc-to-ipad on the taskbar to start a VNC session to the iPad.
c.
TS_SGFW-ASA_Lab_Guide.docx
Page 26 of 42
EDCS-1224105
Mouse: Mouse pointer mimics touching the iPad screen with one finger.
Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll
Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your local keyboard for input.
Note: The tab key is not available on the iPads virtual keyboard so you will have to move the pointer to the text field you want
to input text, and click on it.
d. On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if
present.
Note: If no profiles, you might not see the profiles menu option.
e. Next, go to Settings > Safari and hit Clear History as well as Clear Cookies and Data.
f.
Go to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi.
h. Launch Mobile Safari app and browse to http://web.demo.local. This shall redirect to the ISE
Guest Portal.
Note: Accept/Confirm any browser certificate warnings or AUP (acceptable user policy) if present.
i.
Repeat previous step (8) h ~ n of this exercise to verify the Wireless access for the iPad.
TS_SGFW-ASA_Lab_Guide.docx
Page 27 of 42
Lab Exercise 5: Campus-to-DC Use ASDM to Interact with ASA TrustSec Features
EDCS-1224105
Exercise Objective
In this exercise, your goal is to familiarize with basic ASDM operations for TrustSec. This includes
completion of the following tasks:
Step 1
on the desktop
c. Click OK to connect.
Step 2
Switch to context cx-ent: In the device list on the left-hand-side panel, connect to cxent by double-clicking on the named context.
Step 3
b. Verify the SXP peers, default source, default password, timers, Server Group.
TS_SGFW-ASA_Lab_Guide.docx
Page 28 of 42
Lab Exercise 5: Campus-to-DC Use ASDM to Interact with ASA TrustSec Features
EDCS-1224105
c. (Optional, as already done via CLI in Exercise 2 Step 6) Click on Import PAC to import the
PAC from the local machine
d. (Optional) Check/un-check the checkbox next to Enable SGT Exchange Protocol (SXP) to
enable/disable SXP
Step 5
Page 29 of 42
Lab Exercise 5: Campus-to-DC Use ASDM to Interact with ASA TrustSec Features
EDCS-1224105
Repeat Exercise 4 Step 7 to send traffic and verify the policies applied correctly.
TS_SGFW-ASA_Lab_Guide.docx
Page 30 of 42
EDCS-1224105
Part
2
covers
a
use
case
of
using
ASA
to
segment
server-to-server
communication
within
a
data
center
network.
The
goal
is
to
allow
a
specific
group
of
servers
(LOB_web_servers)
to
access
the
data
on
another
(LOB_db_servers).
ASA
enforcement
may
be
in
either
routed
or
transparent/bridge
mode,
or
in
either
single
or
multiple
contexts.
An
ASA
context
in
transparent
mode
is
used
in
this
part
of
exercises.
TS_SGFW-ASA_Lab_Guide.docx
Page 31 of 42
Lab Exercise 6: Intra-DC Configure Network Devices and Security Groups in ISE
EDCS-1224105
Exercise Objective
In this exercise, your goal is to configure ASA as a network device in ISE so that it may receive
TrustSec security groups. This includes completion of the following tasks:
Step 1
Step 2
Value
cx-lob
10.1.129.2 / 32
ASA
GOLD-Lab
(see Note 1)
Device Id c x- lob
Password Anything
SGA Notifications and Updates
Download environment data
1 Days
every
Download peer authorization
1 Days
policy every
Reauthentication every 1 Days
Download SGACL lists every 1 Days
Other SGA devices to trust the
device
Notify this device about SGA
TS_SGFW-ASA_Lab_Guide.docx
(see Note 2)
Page 32 of 42
Lab Exercise 6: Intra-DC Configure Network Devices and Security Groups in ISE
Attribute
configuration changes
Device Configuration Deployment
(None configured)
Out Of Band (OOB) SGA PAC
Issue Date
Expiration Date
Issue By
EDCS-1224105
Value
Generate PAC
Note 1: The Name (Device ID) must be the same as that of the context name in ASA. It is included in the PAC for ASA to
authenticate and retrieve the SG table from ISE.
Note 2: The device password is not used because ASA supports only OOB PAC provisioning but needs to be a valid and nonempty string in order to save the NAD object.
c.
In the section Out Of Band (OOB) SGA PAC, click Generate PAC. In the pop-up dialog
box, input ISEisC00L as the Encryption Key.
Identity
Encryption Key
PAC Time to Live
c x- lob
ISEisC00L
1 Years
Note: ASA uses this encryption key to import the PAC securely (Lab Exercise 2 Step 6).
d. Click on Generate PAC and save the resulting pac file to the default Downloads folder.
e. Click Submit when finished.
Note: If Submit does not work, log off and back into the ISE admin web interface and repeat Step 2 again.
Step 3
Note: ISE assigns SGT automatically by default. To manually assign SGTs, go to Administration > System > Settings, select
Security Group Access in the left-hand-side panel, and then select All tags are manually defined in the right panel.
Add.
You are now done preparing the ISE for the ASA context cx-lob to download the TrustSec environment data.
TS_SGFW-ASA_Lab_Guide.docx
Page 33 of 42
EDCS-1224105
Exercise Objective
In this exercise, your goal is to work a transparent context in ASA and configure it to download
TrustSec Security Group table from ISE:
Step 1
If disconnected, restart the putty ssh session to asa with the credentials admin / ISEisC00L
Step 2
At the prompt, enter the CLI command enable then give ISEisC00L as the enable password.
asa/cx-admin> enable
Password: ISEisC00L
asa/cx-admin#
Step 3
Step 9
Review the running-config of the network interfaces and routing with the following CLI
commands in configuration mode:
show run interface
show run route
asa/cx-lob# show run interface
!
interface BVI1
ip address 10.1.129.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif web
bridge-group 1
security-level 8
!
interface GigabitEthernet0/3
nameif db
bridge-group 1
security-level 9
asa/cx-lob# show run route
route web 0.0.0.0 0.0.0.0 10.1.129.1 1
Step 4
Add AAA server group and host and designate it as the cts server group with the following CLI
commands in configuration mode:
aaa-server ts-ise protocol radius
aaa-server ts-ise (web) host 10.1.100.21
authentication-port 1812
accounting-port 1813
cts server-group ts-ise
TS_SGFW-ASA_Lab_Guide.docx
Page 34 of 42
EDCS-1224105
Step 5
On admin-PC, move the cx-lob.pac file from admins Downloads folder to C:\inetpub\ftproot\.
Then, proceed to import it at ASA:
cts import-pac ftp://10.1.100.6/cx-lob.pac password ISEisC00L
asa/cx-lob# cts import-pac ftp://10.1.100.6/cx-lob.pac password ISEisC00L
!PAC Imported Successfully
Step 6
Note: The initiator identifier (I-ID) is cx-lob and A-ID-Info is ise demo. The authority identifier (A-ID) is configured in Lab Exercise 1
Step 2. And, I-ID in Lab Exercise 6 Step 2.
asa/cx-lob# show cts environment-data
CTS Environment Data
====================
Status:
Active
Last download attempt:
Successful
Environment Data Lifetime: 86400 secs
Last update time:
04:00:14 UTC Aug 27 2012
Env-data expires in:
0:23:58:34 (dd:hr:mm:sec)
Env-data refreshes in:
0:23:48:34 (dd:hr:mm:sec)
Note: If the download fails, check ISE live log and the NAD configuration for ASA.
asa/cx-lob# show cts environment-data sg-table
Security Group Table:
Valid until: 04:00:14 UTC Aug 28 2012
Showing 6 of 6 entries
SG Name
------ANY
LOB_db_servers
LOB_web_servers
LOB_web_users
Unknown
SG Tag
-----65535
4
3
2
0
Type
------------unicast
unicast
unicast
unicast
unicast
This ASA context has now the TrustSec security group name-to-tag mapping. We will use it in ACL in later exercises.
TS_SGFW-ASA_Lab_Guide.docx
Page 35 of 42
EDCS-1224105
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Step 1
Configure ASA context cx-lob as the SXP listener to peer with the switch 3k-data
Configure the switch 3k-data as the SXP peer for the ASA context cx-ent
Step 2
Note: SXP default password is set and the SXP service enabled previously in Part 1 Exercise 3 Step 3.
c.
Verify the SXP connectivity with the following CLI command in exec mode:
show cts sxp connections brief
TS_SGFW-ASA_Lab_Guide.docx
Page 36 of 42
EDCS-1224105
Reconcile period: 120 secs
Retry open timer is running
----------------------------------------------------------------------------Peer_IP
Source_IP
Conn Status
Duration
----------------------------------------------------------------------------10.1.129.1
10.1.129.3
On
3:10:35:23 (dd:hr:mm:sec)
10.1.129.2
10.1.129.3
On
0:00:38:33 (dd:hr:mm:sec)
Total num of SXP Connections = 2
3k-data#
This ASA context cx-lob has now peered with 3k-data and shall get the IP-SGT mapping from it.
TS_SGFW-ASA_Lab_Guide.docx
Page 37 of 42
EDCS-1224105
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Step 1
c.
Verify the static IP-SGT binding with the following CLI command in exec mode
show cts role-based sgt-map all
Step 2
! add an ACL
! This ACL has only one ACE and all in one-line.
access-list web_in extended permit tcp security-group name LOB_web_servers any security-group
name LOB_db_servers any eq 3306 log
! Apply it to web
access-group web_in in interface web
TS_SGFW-ASA_Lab_Guide.docx
Page 38 of 42
EDCS-1224105
c.
Step 3
Test on w7pc-guest
a. Switch back to the console of w7pc-guest via the VMware client.
b. If needed, login again at Windows as admin / ISEisC00L
c.
admin
ISEisC00L
TS TEST DB
TS_SGFW-ASA_Lab_Guide.docx
Page 39 of 42
EDCS-1224105
g. Verify IP-SGT bindings on ASA that are learnt from all its peers and the accelerated security
patch (ASP)
show cts sgt-map (Control Plane command)
show asp table cts sgt-map (Data Path command)
:
:
:
:
:
3
10.1.129.8
10.1.129.1
1
Active
...
SGT
:
IPv4
:
Peer IP
:
Ins Num
:
Status
:
asa/cx-lob#
i.
4
10.1.129.20
10.1.129.1
1
Active
Page 40 of 42
EDCS-1224105
Step 2
Create a new context cx-lob with the following CLI commands in configuration mode:
context cx-lob
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url disk0:/cx-lob.cfg
exit
interface GigabitEthernet0/2
no shut
interface GigabitEthernet0/3
no shut
asa# configure terminal
asa(config)# context cx-lob
Creating context 'cx-lob... Done. (5)
asa(config-ctx)#
allocate-interface GigabitEthernet0/2
asa(config-ctx)#
allocate-interface GigabitEthernet0/3
asa(config-ctx)# config-url disk0:/cx-lob.cfg
WARNING: Could not fetch the URL disk0:/cx-lob.cfg
INFO: Creating context with default config
asa(config)# interface gigabitEthernet 0/2
asa(config-if)# no shut
asa(config-if)# interface gigabitEthernet 0/3
asa(config-if)# no shut
asa(config)# end
asa#
Step 3
Change to the new context cx-lob by CLI command changeto context cx-lob
asa# changeto context cx-lob
asa/cx-lob#
Step 4
Update the firewall mode and the interfaces with the following CLI commands in configuration
mode:
! Change to transparent mode
firewall transparent
!
interface BVI1
ip address 10.1.129.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif web
bridge-group 1
security-level 9
!
interface GigabitEthernet0/3
nameif db
bridge-group 1
security-level 10
!
! default gateway to ASA cx-ents web interface
route web 0.0.0.0 0.0.0.0 10.1.129.1 1
asa/cx-lob# configure terminal
asa/cx-lob(config)# firewall transparent
asa/cx-lob(config)# interface BVI1
asa/cx-lob(config-if)# ip address 10.1.129.2 255.255.255.0
asa/cx-lob(config-if)# exit
asa/cx-lob(config)# interface GigabitEthernet0/2
asa/cx-lob(config-if)# nameif web
TS_SGFW-ASA_Lab_Guide.docx
Page 41 of 42
EDCS-1224105
asa/cx-lob(config-if)# brige-group 1
asa/cx-lob(config-if)# security-level 9
asa/cx-lob(config-if)# !
asa/cx-lob(config)# interface GigabitEthernet0/3
asa/cx-lob(config-if)# nameif db
asa/cx-lob(config-if)# brige-group 1
asa/cx-lob(config-if)# security-level 10
asa/cx-lob(config-if)# !
asa/cx-lob(config-if)# route web 0.0.0.0 0.0.0.0 10.1.129.1 1
asa/cx-lob(config)# end
asa/cx-lob#
TS_SGFW-ASA_Lab_Guide.docx
Page 42 of 42