ts sgfw-asa lab guide 2013-09-13

Lab Overview EDCS-1224105

TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific of 42

Cisco TrustSec™ Secure Group Firewall with ASA Lab Guide

Developers and Lab Proctors This lab is created by SAMPG TME teams.

Lab Overview This lab is designed to help attendees understand the basics in deploying Cisco TrustSec™ Security Group Firewall (SGFW) with Adaptive Security Appliance (ASA) and Identity Services Engine (ISE). Lab participants should be able to complete the lab within the allotted time of 3 hours.

Lab Exercises This lab guide includes the following exercises:

Part 1 Campus-to-DC SGFW Enforcement with ASA • Lab Exercise 1 : Campus-to-DC – Configure Network Devices and Security Groups in ISE • Lab Exercise 2 : Campus-to-DC – Configure ASA to download Security Group table • Lab Exercise 3 : Campus-to-DC – Configure SXP in Network Devices • Lab Exercise 4 : Campus-to-DC – Source and Destination IP-SGT • Lab Exercise 5 : Campus-to-DC – Use ASDM to interact with ASA TrustSec features

Part 2 Intra-DC SGFW Enforcement with ASA • Lab Exercise 6 : Intra-DC – Configure Network Devices and Security Groups in ISE • Lab Exercise 7 : Intra-DC – Configure ASA to download Security Group table • Lab Exercise 8 : Intra-DC – Configure SXP in Network Devices • Lab Exercise 9 : Intra-DC – Source and Destination IP-SGT

Product Overview EDCS-1224105


Product Overview

The Cisco Secure Access and TrustSec™ is the Borderless Network access control solution, providing visibility into and control over devices and users in the network.

Within this solution, Cisco Identity Service Engine (ISE) is a context aware identity-based platform that gathers real-time information from the network, users, and devices. ISE then uses this information to make proactive governance decisions by enforcing policy across the network infrastructure utilizing built in standard based controls. Cisco ISE offers:

• Security: Secures your network by providing real-time visibility into and control over the users and devices on your network.

• Compliance: Enables effective corporate governance by creating consistent policy across an infrastructure.

• Efficiency: Helps increase IT and network staff productivity by automating traditionally labor-intensive tasks and streamlining service delivery.

• Enablement: Allows IT to support a range of new business initiatives, such as bring your own device (BYOD), through policy-enabled services.

Lab Topology

Lab IP and VLANs EDCS-1224105


Lab IP and VLANs Internal IP Addresses

Internal VLANs and IP Subnets

Device Name/Hostname IP Address

Access Switch (3560X) 3k-access.demo.local 10.1.100.1

Data Center Switch (3560CG) 3k-data.demo.local 10.1.129.3

Wireless LAN Controller (2504) wlc.demo.local 10.1.100.61

Wireless Access Point (2602i) ap.demo.local 10.1.90.x/24 (DHCP)

ASA (5515-X) asa.demo.local 10.1.100.2

ISE Appliance ise-1.demo.local 10.1.100.21

ISE Feed Server ise-feedserver.demo.local 10.1.100.41

AD (AD/CS/DNS/DHCP) ad.demo.local 10.1.100.10

NTP Server ntp.demo.local 128.107.212.175

MobileIron mobileiron.demo.local 10.1.100.15

Mail mail.demo.local 10.1.100.40

LOB Web lob-web.demo.local portal.demo.local, updates.demo.local business.demo.local it.demo.local records.demo.local

10.1.129.12

10.1.129.8

10.1.129.9

10.1.129.10

10.1.129.11

LOB DB lob-db.demo.local 10.1.129.20

Admin (Management) Client (also FTP Server)

admin.demo.local ftp.demo.local

10.1.100.6

Windows 7 Client PC w7pc-guest.demo.local 10.1.50.x/24 (DHCP)

VLAN VLAN Name IP Subnet Description

10 ACCESS 10.1.10.0/24 Authenticated users or access network using ACLs

20 MACHINE 10.1.20.0/24 Microsoft machine-authenticated devices (L3 segmentation)

(29) IC-ASA-ACCESS 10.1.29.0/24 Interconnect subnet between ASA and Access switch

30 QUARANTINE 10.1.30.0/24 Unauthenticated or non-compliant devices (L3 segmentation)

40 VOICE 10.1.40.0/24 Voice VLAN

50 GUEST 10.1.50.0/24 Network for authenticated and compliant guest users

90 AP 10.1.90.0/24 Wireless AP VLAN

Connecting to Lab Devices EDCS-1224105


Note: Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity, profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. The labs will focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement.

Accounts and Passwords

Connecting to Lab Devices Note: To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for

access to all the other lab components

Note: Admin PC access is through RDP, therefore you must have an RDP client installed on your computer

Connect to a POD Step 1 Launch the Remote Desktop application on your system.

a. In the LabOps student portal, click on the Topology tab.

b. Click on the Admin PC, and then click on the RDP Client option that appears.

VLAN VLAN Name IP Subnet Description

100 Management 10.1.100.0/24 Network services (AAA, AD, DNS, DHCP, etc.)

129 WEB 10.1.129.0/24 Line-of-business Web servers

130 DB 10.1.130.0/24 Line-of-business Database servers

Access To Account (username/password)

Access Switch (3560X) admin / ISEisC00L

Data Center Switch (3560X) admin / ISEisC00L

Wireless LAN Controller (2504) admin / ISEisC00L

ASA (5515-X) admin / ISEisC00L

ISE Appliances admin / ISEisC00L

AD (CS/DNS/DHCP/DHCP) admin / ISEisC00L

Web Servers admin / ISEisC00L

Admin (Management) Client admin / ISEisC00L

Windows 7 Client (Local = W7PC-guest or W7PC-corp) (Domain = DEMO)

W7PC-guest\admin / ISEisC00L DEMO\admin / ISEisC00L DEMO\employee1 / ISEisC00L

Connecting to Lab Devices EDCS-1224105


c. Clicking on this option should launch your RDP client and connect you to the Admin PC. Login as admin / ISEisC00L

Note: All lab configurations can be performed from the Admin PC. Note: If the lab is manually delivered, the lab proctors will provide the access info.

Connect to ESXi Server and Virtual Machines During the lab exercises, you may need to access and manage the computers running as virtual machines.

Step 1 From the Admin client PC, click the VMware vSphere Client icon on the desktop

Step 2 Once logged in, you will see a list of VMs that are available on your ESXi server:

Step 3 You have the ability to power on, power off, or open the console (view) these VMs. To do so, place the mouse cursor over VM name in the left-hand pane and right-click to select one of these options.

Step 4 To access the VM console, select Open Console from the drop-down.

Pre-Lab Setup Instructions EDCS-1224105


Step 5 To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:

Connect to Lab Devices To access the command line interfaces (CLI) of the lab switches, ISE servers, and others using SSH:

Step 1 From the Admin client PC, right click on the PuTTY shortcut in the taskbar. Then, select SSH, Telnet and Rlogin client from the pop-

up menu.

Step 2 If the device name present in the saved sessions, then double click on the saved session item that matches the device name (e.g, ise-1). If not, input the hostname or IP address of the desired device in the Host Name (or IP address) and click Open.

Step 3 If prompted, click Yes to cache the server host key and to continue login.

Step 4 Login using the credentials listed in the Accounts and Passwords table.

Pre-Lab Setup Instructions Basic Connectivity Test To perform a basic connectivity test for the primary lab devices, run the pingtest.bat script from the Windows desktop of the Admin client PC:

Verify that ping succeeds for all devices tested by script.

Note: The ping test may fail for VMs that have not yet completed the boot process.



Basic ISE Configuration Step 1 Access the ISE administrative web interface.

At Admin PC, launch Mozilla Firefox web browser. Enter this URL in the address bar:

https://ise-1.demo.local/ Note: Accept/Confirm any browser certificate warnings if present.

Login with username admin and password ISEisC00L

Step 2 Join to the Active Directory.

a. Go to Administration > Identity Management > External Identity Sources.

b. Pick Active Directory from the left-hand-side panel, and select ise-1 in the right-hand-side connection tab.

c. Click Join with AD domain admin credentials: administrator / ISEisC00L

Note: If the join fails due to clock skew, use putty ssh to ise-1 admin CLI and issue show ntp and show clock to check if the ntp service is working. The ntp service may be corrected by a reload of ise-1 or a reset the VM.

Step 3 Disable log collection suppression

Starting from ISE 1.2, the log suppression is on by default to reduce monitoring data storage. In order to see all log entries during troubleshooting, the suppression can be disabled either globally or selectively per collection filters. In this lab, we will disable it globally, as shown in (a) below.

a. Disable suppression globally

i. Go to Administration > System > Settings, expand on Protocols, and select RADIUS.

ii. Un-toggle the checkboxes Suppress Anomalous Clients and Suppress Repeated Successful Authentications.



iii. Click Save when done.

b. (For reference only) Disable suppression per collection filter

i. Go to Administration > System > Logging, expand on Collection Filters, and click on Add for a new filter.

ii. Select an attribute from the drop-down menu.

iii. Enter a value to match the attribute in (ii).

iv. Select Disable Suppression from the drop-down menu.

v. Click Submit.

Part 1: Campus-to-DC SGFW Enforcement with ASA EDCS-1224105


Part 1: Campus-to-DC SGFW Enforcement with ASA

Logical Topology

Part 1 covers a common use case of using ASA to gauge the network accesses from a campus network to a data center network. The goal is to allow a specific group of users (LOB_web_users) in the campus to reach the web sites inside the data center. ASA enforcement may be in either routed or transparent mode, and in either single or multiple contexts. An ASA context in routed mode is presented here.

Lab Exercise 1: Campus-to-DC – Configure Network Devices and Security Groups in ISE EDCS-1224105


Lab Exercise 1: Campus-to-DC – Configure Network Devices and Security Groups in ISE

Exercise Description This lab exercise covers the ISE configurations to prepare network devices for RADIUS authentication and for retrieval of Cisco TrustSec™ environment data. It also provisions the security groups for Campus-to-DC access control.

Exercise Objective In this exercise, your goal is to configure ASA as a network device, in receiving Cisco TrustSec™ environment data, in additions to the access level switch and WLC. This includes completion of the following tasks:

• Update the authority ID in EAP-FAST settings

• Verify the existing network devices – 3k-access and wlc

• Add an ASA (context) as a new network device

• Create TrustSec security groups

Step 4 Access the ISE administrative web interface.

a. On Admin PC, launch Mozilla Firefox web browser. Enter this URL in the address bar:

https://ise-1.demo.local/ Note: Accept/Confirm any browser certificate warnings if present.

b. Login with username admin and password ISEisC00L . The ISE Dashboard should display. Navigate the interface using the multi-level menus.



Step 5 Update EAP-FAST A-ID

a. Navigate to Administration > System > Settings. From there, go to Protocols > EAP-FAST > EAP FAST Settings.

b. In the text box next to Authority Identity Info Description, change the text to ise demo.

This will appear as part of PAC in later exercises. It should be a unique string to identify the ISE deployment that distributes the PAC files.

c. Click Save.

Step 6 Verify the Wireless LAN Controller configured as a Network Access Device in ISE

a. Navigate to Administration > Network Resources > Network Devices

b. Under Network Devices in the right-hand panel, select wlc.

c. Check this network device pre-configured with the values shown in the following table:

Attribute Value Name wlc Description - IP Address 10.1.100.61 / 32 Model Name - Software Version - Device Type WLC Location GOLD-Lab þ Authentication Settings Protocol RADIUS Shared Secret ISEisC00L

d. Update as needed and click Save when finished.

Step 7 Verify the access switch 3k-access configured as a Network Access Device in ISE

a. Go back up to the Network Device List at Administration > Network Resources > Network Devices by clicking on its breadcrumb hyperlink

b. Under Network Devices in the right-hand panel, select 3k-access.



c. Check this network device is preconfigured with the values shown in the following table:

Attribute Value Name 3k-access Description - IP Address 10.1.100.1 / 32 Model Name - Software Version - Device Type IOS-SW Location GOLD-Lab þ Authentication Settings Protocol RADIUS Shared Secret ISEisC00L

d. Update as needed and click Save when finished.

Step 8 Add an ASA context cx-ent as a Network Access Device in ISE

a. Go back up to the Network Device List at Administration > Network Resources > Network Devices by clicking on its breadcrumb hyperlink

b. In the toolbar area, click on the botton Add and enter the values for the new device as shown in the following table:

Attribute Value Name cx-ent (see Note 1) Description - IP Address 10.1.29.1 / 32 Model Name - Software Version - Device Type ASA Location GOLD-Lab þ Advanced TrustSec Settings Device Authentication Settings Use Device ID for SGA þ

Device Id cx-ent Password Anything (see Note 2)

SGA Notifications and Updates Download environment data

every 1 Days

Download peer authorization policy every 1 Days

Reauthentication every 1 Days Download SGACL lists every 1 Days

Other SGA devices to trust the device þ

Notify this device about SGA configuration changes ¨

Device Configuration Deployment (None configured)



Attribute Value Out Of Band (OOB) SGA PAC

Issue Date Expiration Date

Issue By Generate PAC

Note 1: The Name (Device ID) must be the same as the context name in ASA, which we will review in Lab Exercise 2. It is included in the PAC for ASA to authenticate and retrieve the SG table from ISE Note 2: The device password is not used because ASA supports only OOB PAC provisioning but needs to be a valid and non-empty string in order to save the NAD object.

c. In the section Out Of Band (OOB) SGA PAC, click Generate PAC. In the pop-up dialog box, input ISEisC00L as the Encryption Key.

Identity cx-entEncryption Key ISEisC00L PAC Time to Live 1 Years

Note: ASA uses this encryption key to import the PAC securely (Lab Exercise 2 Step 6).

d. Click on Generate PAC. In the pop-up window Opening cx-ent.pac of the Firefox browser, click OK to accept the default Save File option to save the resulting pac file to the default Downloads folder.

e. Click Submit when finished.

Step 9 Add Security Groups in ISE

a. Go to Policy > Policy Elements > Results. In the left-hand-side panel, select Security Group Access > Security Groups.

Note: ISE assigns SGT automatically by default. To manually assign SGTs, go to Administration > System > Settings, select Security Group Access in the left-hand-side panel, and then select All tags are manually defined in the right panel.

b. Add security group LOB_web_users

i. In the right panel, click Add.

ii. Input LOB_web_users into the Name field.

iii. Submit to save this new security group with the assigned tag.

c. Add security group LOB_web_servers


ii. Input LOB_web_servers into the Name field.


d. The resulting Name-SGT table shall be similar to below:

Name SGT (Dec /Hex) Unknown 0 / 0000 LOB_web_users 2 / 0002 LOB_web_servers 3 / 0003

You are now done preparing the ISE for the ASA context to download the TrustSec environment data.

þ End of Exercise: You have successfully completed this exercise. Proceed to next section.

Lab Exercise 2: Campus-to-DC – Configure ASA to download Security Group table EDCS-1224105


Lab Exercise 2: Campus-to-DC – Configure ASA to download Security Group table

Exercise Description This exercise will show how to enable an ASA context to download the security group (name-to-tag) table from ISE.

Exercise Objective In this exercise, your goal is to work on a routed firewall context in ASA and configure it to download TrustSec Security Group table from ISE:

• Create an AAA server group to include ISE as the TrustSec server

• Import EAP-FAST PAC generated from ISE

• Verify SG table download

Step 1 Use putty to ssh to asa with the credentials admin / ISEisC00L

Step 2 At the prompt, enter the CLI command enable then give ISEisC00L as the enable password.

asa/cx-admin> enable Password: ISEisC00L asa/cx-admin#

Step 3 Switch the context to cx-ent by CLI command changeto context cx-ent

asa# changeto context cx-ent asa/cx-ent#

Step 4 Review the running-config of the network interfaces and routing with the following CLI commands in configuration mode:

show run interface show run route

asa/cx-ent# show run interface interface GigabitEthernet0/0 nameif campus security-level 29 ip address 10.1.29.1 255.255.255.0 ! interface GigabitEthernet0/1 nameif web security-level 100 ip address 10.1.129.1 255.255.255.0 ! interface GigabitEthernet0/5 nameif internet security-level 0 ip address n0.n1.n2.n3 255.255.255.128 asa/cx-ent# show run route route internet 0.0.0.0 0.0.0.0 n0.n1.n2.129 1 route campus 10.1.0.0 255.255.128.0 10.1.29.2 1



Step 5 Create AAA server group ts-ise, add ISE as the host, then designate it as the CTS server group with the following CLI commands in configuration mode:

aaa-server ts-ise protocol radius aaa-server ts-ise (campus) host 10.1.100.21 authentication-port 1812 accounting-port 1813

cts server-group ts-ise

asa/cx-ent# configure terminal asa/cx-ent(config)# aaa-server ts-ise protocol radius asa/cx-ent(config-aaa-server-group)# aaa-server ts-ise (campus) host 10.1.100.21 asa/cx-ent(config-aaa-server-host)# authentication-port 1812 asa/cx-ent(config-aaa-server-host)# accounting-port 1813 asa/cx-ent(config-aaa-server-host)# cts server-group ts-ise asa/cx-ent(config)# end asa/cx-ent#

Step 6 On the admin PC, move the cx-ent.pac file from admin’s Downloads folder to C:\inetpub\ftproot\ on the admin PC. Then, import it into cx-ent:

cts import-pac ftp://10.1.100.6/cx-ent.pac password ISEisC00L

asa/cx-ent# cts import-pac ftp://10.1.100.6/cx-ent.pac password ISEisC00L !PAC Imported Successfully asa/cx-ent#

Step 7 Verify the PAC, the environment-data, and the SG table retrieved: show cts pac show cts environment-data show cts environment-data sg-table

asa/cx-ent# show cts pac PAC-Info: Valid until: Aug 25 2013 23:42:16 AID: 0215c9b539f4f2f56a716ea5d4a04132 I-ID: cx-ent A-ID-Info: ise demo PAC-type: Cisco Trustsec PAC-Opaque: 000200b000030001000400100215c9b539f4f2f56a716ea5d4a0413200060094000301 00f85bbc5db6fea2d861e26c8d708a717200000001503707f300093a8002ae211d90b7 e2f4829d24eddfbf3c36b4d4766614463e7bb80ff5ee00532e0c725e0629da6652a518 89d66396e9ffaedbc13481e328f423d82ba6f00e82944fa191e9c84c5c10da94a85b18 c4cb60b1e6edcea331480164ab77a8dad7931a4d598c63b2672c3bb7b23028cdfd7965 ae2ce0c4a1

Note: The initiator identifier (I-ID) is cx-ent and A-ID-Info is ise demo. The authority identifier (A-ID) is configured in Lab Exercise 1 Step 2. And, I-ID in Lab Exercise 1 Step 5.

asa/cx-ent# show cts environment-data CTS Environment Data ==================== Status: Active Last download attempt: Successful Environment Data Lifetime: 86400 secs Last update time: 04:00:14 UTC Aug 27 2012 Env-data expires in: 0:23:58:34 (dd:hr:mm:sec) Env-data refreshes in: 0:23:48:34 (dd:hr:mm:sec)

Note: If the download fails, check ISE live log and the NAD configuration for ASA. To refresh or retry the download, use this command:

cts refresh environment-data



asa/cx-ent# show cts environment-data sg-table Security Group Table: Valid until: 04:00:14 UTC Aug 28 2012 Showing 4 of 4 entries SG Name SG Tag Type ------- ------ ------------- ANY 65535 unicast LOB_web_servers 3 unicast LOB_web_users 2 unicast Unknown 0 unicast

Step 8 Check ISE live authentication records for SG table download by the ASA

a. Switch to ISE admin web interface at the Firefox browser on the admin-PC

b. Re-login as admin / ISEisC00L if the session times out

c. Navigate to Operations > Authentications

i. Live log entries will be similar to below:

Time S Identity Endpoint ID Event t-2 ✔ #CTSREQUEST# CTS Data Download Succeeded t-1 ✔ #CTSREQUEST# CTS Data Download Succeeded

ii. The authentication results are in the tool-tip by hovering over the status column of each entry:

Time t-1

Authentication Result User-Name=#CTSREQUEST# State=ReauthSession:0a0164150000000050748C6D Class=CACS:0a0164150000000050748C6D:ise-1/139170756/1 Termination-Action=RADIUS-Request cisco-av-pair=cts:server-list=CTSServerList1-0001 cisco-av-pair=cts:security-group-tag=0000-00 cisco-av-pair=cts:environment-data-expiry=86400 cisco-av-pair=cts:security-group-table=0001-4

Time t-2

Authentication Result User-Name=#CTSREQUEST# State=ReauthSession:0a0164150000000150748C6D Class=CACS:0a0164150000000150748C6D:ise-1/139170756/2 Termination-Action=RADIUS-Request cisco-av-pair=cts:security-group-table=0001-4 cisco-av-pair=cts:security-group-info=0-0-00-Unknown cisco-av-pair=cts:security-group-info=ffff-0-00-ANY cisco-av-pair=cts:security-group-info=2-0-00-LOB_web_users cisco-av-pair=cts:security-group-info=3-0-00-LOB_web_servers

This ASA context cx-ent has now the name-to-tag mapping of TrustSec security groups. We will use it in an ACL in later exercises.


Lab Exercise 3: Campus-to-DC – Configure SXP in Network Devices EDCS-1224105


Lab Exercise 3: Campus-to-DC – Configure SXP in Network Devices Exercise Description

Currently ASA is not capable of in-line secure group tagging. Instead, it supports SGT Exchange Protocol (SXP) and may learn secure group tags as an SXP listener. In this exercise you will establish SXP communications between the ASA context cx-ent and its three peers -- 3k-access, 3k-data, and wlc.

Exercise Objective In this exercise, your goal is to complete the following tasks:

• Configure ASA context cx-ent as the SXP listener to peer with three other network devices

• Configure 3k-access as the SXP peer for the ASA context cx-ent

• Configure 3k-data as the SXP peer for the ASA context cx-ent

• Load wlc with a configuration file and configure it as the SXP peer for the ASA context cx-ent

Step 1 Configure ASA context cx-ent as the SXP listener

a. Back in the SSH session to the security context cx-ent on asa, provision the SXP connectivity with the following CLI commands in configuration mode: ! set SXP default password cts sxp default password ISEisC00L ! peer 10.1.29.2 – 3k-access SVI for VLAN 29 cts sxp connection peer 10.1.29.2 password default mode local listener ! peer 10.1.129.3 – 3k-data SVI for management cts sxp connection peer 10.1.129.3 password default mode local listener ! peer 10.1.100.61 – WLC management IP cts sxp connection peer 10.1.100.61 password default mode local listener ! enable SXP cts sxp enable

asa/cx-ent# configure terminal asa/cx-ent(config)# cts sxp default password ISEisC00L asa/cx-ent(config)# cts sxp conn peer 10.1.29.2 password default mode local listener asa/cx-ent(config)# cts sxp conn peer 10.1.129.3 password default mode local listener asa/cx-ent(config)# cts sxp conn peer 10.1.100.61 password default mode local listener asa/cx-ent(config)# cts sxp enable asa/cx-ent(config)# end asa/cx-ent#

Step 2 Configure SXP on 3k-access

a. Use putty to ssh to 3k-access as admin / ISEisC00L

b. Provision the SXP connectivity with the following CLI commands in configuration mode: ! set SXP default password cts sxp default password ISEisC00L ! peer 10.1.29.1 – asa/cx-cnt campus IP cts sxp connection peer 10.1.29.1 password default mode local ! enable SXP cts sxp enable

3k-access# configure terminal Enter configuration commands, one per line. End with CNTL/Z. 3k-access(config)#cts sxp default password ISEisC00L 3k-access(config)#cts sxp conn peer 10.1.29.1 password default mode local 3k-access(config)#cts sxp enable



3k-access(config)#end 3k-access#

c. Verify the SXP connectivity with the following CLI command in exec mode: show cts sxp connections brief

3k-access# show cts sxp connections brief SXP : Enabled Default Password : Set Default Source IP: Not Set Connection retry open period: 120 secs Reconcile period: 120 secs Retry open timer is running ----------------------------------------------------------------------------- Peer_IP Source_IP Conn Status Duration ----------------------------------------------------------------------------- 10.1.29.1 10.1.29.2 On 3:10:28:54 (dd:hr:mm:sec) Total num of SXP Connections = 1 3k-access#

Step 3 Configure SXP on 3k-data

a. Use putty to ssh to 3k-data as admin / ISEisC00L

b. Provision the SXP connectivity with the following CLI commands in configuration mode: ! set SXP default password cts sxp default password ISEisC00L ! peer 10.1.129.1 – asa/cx-ent web IP cts sxp connection peer 10.1.129.1 password default mode local ! enable SXP cts sxp enable

3k-data# configure terminal Enter configuration commands, one per line. End with CNTL/Z. 3k-data(config)#cts sxp default password ISEisC00L 3k-data(config)#cts sxp conn peer 10.1.129.1 password default mode local 3k-data(config)#cts sxp enable 3k-data(config)#end 3k-data#


3k-data# show cts sxp connections brief SXP : Enabled Default Password : Set Default Source IP: Not Set Connection retry open period: 120 secs Reconcile period: 120 secs Retry open timer is running ----------------------------------------------------------------------------- Peer_IP Source_IP Conn Status Duration ----------------------------------------------------------------------------- 10.1.129.1 10.1.129.3 On 3:10:35:23 (dd:hr:mm:sec) Total num of SXP Connections = 1 3k-data#



Step 4 Load WLC configuration for the lab

a. Login to WLC web interface https://wlc.demo.local as admin / ISEisC00L

b. Navigate to the top menu COMMANDS. Then, choose Download File from the left panel.

c. In Download file to Controller page, fill in the form as below:

Note: The “##” in p##-wlc-sgfw.txt is to be replaced with the assigned 2-digit pod number; e.g. p02-wlc-sgfw.txt for pod 02.

d. Click on the button Download to start the file transfer.

e. Wait for transfer and reset complete. Note: WLC will reset after downloading configuration from an external file server. During the reset, use ping –t wlc to monitor.

Step 5 Configure SXP on WLC

a. Use putty to ssh to wlc as admin / ISEisC00L

b. Provision the SXP connectivity with the following CLI commands: ! set SXP default password config cts sxp default password ISEisC00L ! peer 10.1.29.1 – asa/cx-cnt campus IP config cts sxp connection peer 10.1.29.1 ! enable SXP config cts sxp enable

(Cisco Controller) User: admin Password: ISEisC00L Cisco Controller) >config cts sxp default password ISEisC00L Cisco Controller) >config cts sxp conn peer 10.1.29.1 Cisco Controller) >config cts sxp enable Cisco Controller) >

Note: For configuring SXP via WLC web UI, see WLC Configuration Guide http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_0111111.html#ID4849

c. Verify the SXP connectivity with the following CLI commands: show cts sxp summary show cts sxp connections

(Cisco Controller) >show cts sxp summary Total num of SXP Connections..................... 1 SXP State........................................ Enable SXP Mode......................................... Speaker SXP Version...................................... 2 Default Password................................. **** Default Source IP................................ 10.1.100.61 Connection retry open period .................... 120

File Type Configuration Configuration File Encryption ☐ (unchecked) Transfer Mode FTP Server Details IP Address 10.1.100.6 File Path / File Name p##-wlc-sgfw.txt Server Login Username ftp Server Login Password ftp Server Port Number 21



(Cisco Controller) >show cts sxp connections Total num of SXP Connections..................... 1 SXP State........................................ Enable Peer IP Source IP Connection Status --------------- --------------- ----------------- 10.1.29.1 10.1.100.61 On

Step 6 Verify SXP peering status on ASA

a. Back in the SSH session to the security context cx-ent on asa, verify the SXP connectivity with the following CLI command in exe mode:

show cts sxp connections brief

asa/cx-ent# show cts sxp connections brief SXP : Enabled Highest version : 2 Default password : Set Default local IP : Not Set Reconcile period : 120 secs Retry open period : 120 secs Retry open timer : Running Total number of SXP connections: 3 Total number of SXP connections shown: 3 --------------------------------------------------------------------------- Peer IP Local IP Conn Status Duration (dd:hr:mm:sec) --------------------------------------------------------------------------- 10.1.29.2 10.1.29.1 On 0:00:02:24 10.1.100.61 10.1.29.1 On 0:00:27:29 10.1.129.3 10.1.129.1 On 0:00:00:24 asa/cx-ent#

Note: If the connection status with the wlc not becoming On after a long wait, it may be due to a known defect in WLC 7.2 and 7.3 -- CSCtx92968 WLC SXP peering with ASA after long (random) delay. The workaround is to toggle the SXP status off then on or to delete then re-create the peer on the wlc.

This ASA context has now peered with three other network devices and shall receive the IP-SGT mappings from them.


Lab Exercise 4: Campus-to-DC – Source and Destination IP-SGT EDCS-1224105


Lab Exercise 4: Campus-to-DC – Source and Destination IP-SGT

Exercise Description This exercise will show the ASA context cx-ent receives IP-SGT maps from the three peers and uses them in ACL.


• Configure ISE to use security groups in the authorization policy.

• Provision static IP-SGT binding on 3k-data.

• Configure ASA ACL with security-group.

Step 1 Access the ISE administrative web interface

a. Use Firefox on the admin PC, login https://ise-1.demo.local as admin / ISEisC00L

Step 2 Join to the Active Directory.

a. Go to Administration > Identity Management > External Identity Sources.

b. Pick Active Directory from the left-hand-side panel.

c. Select ise-1 in the right-hand-side connection tab.

d. If the status is Not Joined to Domain, click Join with AD domain admin credential admin / ISEisC00L and click OK.

Wait for the operation status turns þ Completed before clicking Close to close the pop-up.

Step 3 Add AD Group LOB_web_users

a. Stay in Active Directory then click on the tab Groups

b. Click on Add and Select Group From Directory from the drop-down menu

c. In the pop-up window Select Directory Groups, use LOB* as the filter and click on Retrieve Groups…

d. Put a þ check mark to the item demo.local/HCC/Groups/LOB_web_users and click OK.

e. Click Save configuration so the external group is made available in the ActiveDirectory system dictionary.



Step 4 Review the pre-configured authentication policy under Policy > Authentication as summarized below. The modified elements from defaults are highlighted in Yellow.

Status Name Condition Protocols Identity Source Options

✔MAB IF Wired_MAB

OR Wireless_MAB

allow protocols

HostLookup and use Internal Endpoints Reject Continue Drop

✔Dot1X IF Wired_802.1X

OR Wireless_802.1X

allow protocols

PEAP-MSCHAPv2-o-TLS

✔

EAP-TLS IF EAP-TLS and use certAuthSCN Reject Reject Drop

✔

Default and use demoAD Reject Reject Drop

✔Default Rule (if no match)

allow protocols

Default Network Access and use DenyAccess

Reject Reject Drop

Step 5 Update Authorization Policy to return security group tags. Note: We start with a set of preconfigured authorization rules for DOT1X and MAB, and then apply security tags on top of them.

a. Navigate to Policy > Authorization

b. For the rule demoAD access

i. Rule Name

Append LOB_web_users

ii. Other Conditions

Insert a new Attribute/Value condition with the expression, such that

• Select the attribute demoAD:ExternalGroups, • Select the operator Equals, and • Select the right-hand-side value (drop-down) demo.local/HCC/Groups/LOB_web_users

iii. Add the security group LOB_web_users under the permissions column. Note: LOB_web_users is one of the security groups created in Lab Exercise 1 Step 6

Status Rule Name Identity Groups Other Conditions Permissions

✔

Wireless Black List Default

Blacklist Wireless_Access Blackhole_Wireless_Access

✔

Profiled Cisco IP Phones

Cisco-IP-Phone - Cisco_ IP_Phones

✔

Profiled Non Cisco IP Phones

Any Non_Cisco_Profiled_Phones Non_Cisco_IP_Phones

✔

demoAD access LOB_web_users

Any

Network Access:AuthenticationIdentityStore EQUALS demoAD

PermitAll AND LOB_web_users

AND demoAD:ExternalGroups EQUALS deomo.local/HCC/Groups/LOB_web_users

✔

guest access Guest OR ActivatedGuest

- PermitInternet

✔

Wireless MAB Any Wireless_MAB wlcCWA-noNSP

✔

Wired MAB Any Wired_MAB wiredCWA-noNSP

✔

Default (no matches) DenyAccess

c. Click Save once all the changes are done.



ISE is now configured to provide a source security group tag when the rule AD Authenticated is matched.

Step 6 Configure static IP-SGT bindings for the servers on 3k-data


b. Provision the IP-SGT with the following CLI commands in configuration mode: ! map web server ip addresses to SG LOB_web_servers (tag=3) ! Only 10.1.129.12 (web) is used in the test. The others are optional. cts role-based sgt-map 10.1.129.8 sgt 3 cts role-based sgt-map 10.1.129.9 sgt 3 cts role-based sgt-map 10.1.129.10 sgt 3 cts role-based sgt-map 10.1.129.11 sgt 3 cts role-based sgt-map 10.1.129.12 sgt 3

3k-data# configure terminal Enter configuration commands, one per line. End with CNTL/Z. 3k-data(config)#cts role-based sgt-map 10.1.129.8 sgt 3 3k-data(config)#cts role-based sgt-map 10.1.129.9 sgt 3 3k-data(config)#cts role-based sgt-map 10.1.129.10 sgt 3 3k-data(config)#cts role-based sgt-map 10.1.129.11 sgt 3 3k-data(config)#cts role-based sgt-map 10.1.129.12 sgt 3 3k-data(config)#end 3k-data#

Note: To verify the configured SGT map, issue EXEC mode CLI

show cts role-based sgt-map all

Step 7 Configure ACL on ASA context cx-ent

a. Back to the SSH session to the context cx-ent of ASA, add an ACL and apply it to the interface campus with the following CLI commands in configuration mode:

! The 1st ACE below is all-in-one-line. (optionally) “log” so it shows in the logging. access-list campus_in extended permit tcp security-group name LOB_web_users any security-group

name LOB_web_servers any eq www log ! Allow management VLAN access-list campus_in extended permit ip 10.1.100.0 255.255.255.0 any ! Block other campus VLANs to DC access-list campus_in extended deny ip 10.1.0.0 255.255.128.0 10.1.128.0 255.255.128.0 ! Allow all others (Internet/DMZ) access-list campus_in extended permit ip any any ! Apply it to campus access-group campus_in in interface campus

asa/cx-ent# configure terminal asa/cx-ent(config)# access-list campus_in extended permit tcp security-group name LOB_web_users any security-group name LOB_web_servers any eq www log asa/cx-ent(config)# access-list campus_in extended permit ip 10.1.100.0 255.255.255.0 any asa/cx-ent(config)# access-list campus_in extended deny ip 10.1.0.0 255.255.128.0 10.1.128.0 255.255.128.0 asa/cx-ent(config)# access-list campus_in extended permit ip any any asa/cx-ent(config)# access-group campus_in in interface campus asa/cx-ent(config)# end asa/cx-ent#

b. Verify the SG name-to-tag mapping with the following CLI commands: show access-list campus_in

asa/cx-ent# show access-list campus_in access-list campus_in; 4 elements; name hash: 0x8fb64f40 access-list campus_in line 1 extended permit tcp security-group name LOB_web_users(tag=2) any security-group name LOB_web_servers(tag=3) any eq www log informational interval 300 (hitcnt=0) ... asa/cx-ent#

Note: LOB_web_users and LOB_web_servers are mapped into tag numbers.



c. Configure buffered logging to see ACE hits in later steps. logging buffered informational logging timestamp logging enable

asa/cx-ent# configure terminal asa/cx-ent(config)# logging buffered informational asa/cx-ent(config)# logging timestamp asa/cx-ent(config)# logging enable asa/cx-ent(config)# end asa/cx-ent#

Step 8 Test Wired access on w7pc-guest

a. Launch VMware client to connect the VMware host for the pod.

b. Power on p##-w7pc-guest, if off. Note: The “#” in p##-w7pc-guest is the assigned 2-digit pod number; e.g. p22-w7pc-guest for pod 22.

c. Access the console via the VMware client.

d. Login Windows as admin / ISEisC00L

e. On w7pc-guest, double click on the desktop short-cut w7pc-guest Network Connections. Then, enable the w7pc-guest-wired connection by double-clicking on the icon.

f. Establish the Wired Connection by ssh to 3k-access and “no shut” on the switch interface g0/1. Wait for DOT1X auth timed out (~ 2 minutes) and fail over to MAB.

3k-access# show auth session Interface MAC Address Method Domain Status Session ID Gi0/1 0010.1888.27cc mab DATA Authz Success 0A01FA02000000060F952EE8 3k-access#

g. On w7pc-guest, launch Mozilla Firefox browser and browse to http://web.demo.local. This shall redirect to the ISE Guest Portal.

Note: Accept/Confirm any browser certificate warnings or AUP (acceptable user policy) if present.

h. Once the guest portal login displayed, login as employee1 / ISEisC00L

i. After a successful guest login, reattempt access to http://web.demo.local.

In the pop-up Authentication Required dialog box, enter

admin / ISEisC00L

as the web credential and hit OK. Note: Stop once the login page of CTS DB Test is visible. We will login onto the test DB in the second part of the Lab.



j. Review the ISE live log

i. Navigate to Operations > Authentications. LOB_web_users is applied after the guest authenticated, as shown in the sample entries below:

Time S Identity Endpoint ID AuthZ Profiles Event Session ID t-4 ✔ employee1 nn:nn:nn:nn:nn:nn PERMIT_ALL_TRAFFIC,LOB_web_users nnnn… t-3 ✔ Dynamic Auth nnnn… t-2 ✔ employee1 nn:nn:nn:nn:nn:nn Guest Auth t-1 ✔ nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn Wired_CWA Auth nnnn…

ii. Hover over to the status at Time t-4 to see the authentication detail in the tool-tip. For example, User-Name=employee1 ... Termination-Action=RADIUS-Request cisco-av-pair=cts:security-group-tag:0002-0 cisco-av-pair=profile-name=Windows7-Workstation

k. Check sgt-map on 3k-access by CLI show cts role-based sgt-map all

3k-access# show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ============================================ 10.1.50.201 2 LOCAL IP-SGT Active Bindings Summary ============================================ Total number of LOCAL bindings = 1 Total number of active bindings = 1 3k-access#

Note: 10.1.50.201 is the endpoint IP and may vary depending on the VLAN and DHCP assignments.

l. Check the hit counts of ASA access-list

ASA will show the hit count (hitcnt) increasing for the matched entry.

asa/cx-ent# show access-list campus_in ... access-list campus_in line 1 extended permit tcp security-group name LOB_web_users(tag=2) any security-group name LOB_web_servers(tag=3) any eq www log informational interval 300 (hitcnt=6) 0x12947da7 ... asa/cx-ent# show logging | inc campus_in ... %ASA-6-106100: access-list campus_in permitted tcp campus/10.1.10.101(50184)(2:LOB_web_users) -> web/10.1.129.12(80)(3:LOB_web_servers) hit-cnt 1 first hit [0x12947da7, 0x0] ...

Note: As the logging buffer is limited, show logging might not give any matches if done a few minutes after the web access on the endpoint.

m. Verify IP-SGT bindings on ASA that are learnt from all its peers and the accelerated security patch (ASP)

show cts sgt-map (Control Plane command) show asp table cts sgt-map (Data Path command)



asa/cx-ent# show cts sgt-map Active IP-SGT Bindings Information IP Address SGT Source ================================================================ 10.1.50.201 2 SXP 10.1.129.8 3 SXP ... IP-SGT Active Bindings Summary ============================================ Total number of SXP bindings = 6 Total number of active bindings = 6 Total number of shown bindings = 6 asa/cx-ent# show asp table cts sgt-map IP Address SGT ============================================== 10.1.129.8 3:LOB_web_servers ... 10.1.50.201 2:LOB_web_users Total number of entries shown = 6

n. Verify IP-SGT bindings on ASA that are propagated via SXP

show cts sxp sgt-map detail

asa/cx-ent# show cts sxp sgt-map detail Total number of IP-SGT mappings : 6 Total number of IP-SGT mappings shown: 6 SGT : 3:LOB_web_servers IPv4 : 10.1.129.8 Peer IP : 10.1.129.3 Ins Num : 1 Status : Active ... SGT : 2:LOB_web_users IPv4 : 10.1.50.201 Peer IP : 10.1.29.2 Ins Num : 1 Status : Active asa/cx-ent#

o. Leave w7pc-guest powered on. We will continue using it in later exercises.

Step 9 (Optional) Test Wireless access on iPad

a. Enable WLAN n-p##-TS-OPEN on wlc

i. Use putty and open ssh session to wlc

ii. Issue the following CLI command: config wlan enable 10

b. Click on the short-cut vnc-to-ipad on the taskbar to start a VNC session to the iPad.

c. Press any key to continue, once prompt so.

Tips on controlling the iPad UI via VNC client: Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track pad) Touch with two fingers on

the Track Pad If Secondary Click is configured.



Mouse: Mouse pointer mimics touching the iPad screen with one finger. Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll

Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your local keyboard for input.

Note: The tab key is not available on the iPad’s virtual keyboard so you will have to move the pointer to the text field you want to input text, and click on it.

d. On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if present.

Note: If no profiles, you might not see the profiles menu option.

e. Next, go to Settings > Safari and hit Clear History as well as Clear Cookies and Data.

f. Go to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi. Note: Forget any networks the iPad automatically connects to them.

g. Select and connect to the network n-p##-TS-OPEN Note: The “##” in n-p##-TS-OPEN is to be replaced with the assigned 2-digit pod number; e.g. n-p22-TS-OPEN

h. Launch Mobile Safari app and browse to http://web.demo.local. This shall redirect to the ISE Guest Portal.

Note: Accept/Confirm any browser certificate warnings or AUP (acceptable user policy) if present.

i. Repeat previous step (8) h ~ n of this exercise to verify the Wireless access for the iPad.


Lab Exercise 5: Campus-to-DC – Use ASDM to Interact with ASA TrustSec™ Features EDCS-1224105


Lab Exercise 5: Campus-to-DC – Use ASDM to Interact with ASA TrustSec™ Features Exercise Description

This lab covers the essential ASDM operations for TrustSec™ elements on an ASA.

Exercise Objective In this exercise, your goal is to familiarize with basic ASDM operations for TrustSec. This includes completion of the following tasks:

• Configure for PAC and SXP

• Monitor for PAC, SXP, and SGT maps

• Create ACL with security elements

Step 1 Connect ASDM to ASA

a. On the admin-PC, double-click ASDM-IDM Launcher on the desktop

b. Provide inputs as below: Device IP Address / Name: asa.demo.local Username: admin Password: ISEisC00L ¨ Run in Demo Mode (unchecked)

c. Click OK to connect.

Step 2 Switch to context cx-ent: In the device list on the left-hand-side panel, connect to cx-ent by double-clicking on the named context.

Step 3 Configure TrustSec properties using ASDM

a. Navigate to Configuration > Firewall > Identity by TrustSec

b. Verify the SXP peers, default source, default password, timers, Server Group.



c. (Optional, as already done via CLI in Exercise 2 Step 6) Click on Import PAC to import the PAC from the local machine

d. (Optional) Check/un-check the checkbox next to Enable SGT Exchange Protocol (SXP) to enable/disable SXP

e. Click Apply to effect the changes

Step 4 Monitoring TrustSec: Navigate to Monitoring > Properties > Identity by TrustSec

Click each item in turn to check

a. PAC - verify PAC installation

b. Environment Data - verify the download of security group table

c. SXP Connections - check SXP connections with peers

d. IP Mappings - verify security group IP mapping table

Step 5 Use ASDM to reconfigure Security Group based policies a. Go to Configuration > Firewall > Objects > Security Group Object Groups

b. Click on Add on the right-hand panel

c. In the pop-up window Add Security Group Object Group, fill in

• Group Name: demo-SG-Obj-Group

• Click to highlight LOB_web_servers in Existing Security Groups

• Click Add >> to add to Members in Group

• Click OK to close the pop-up.

d. Go to Configuration > Firewall > Access Rules

e. Click on the rule under interface campus and hit Edit to work on the first ACE

f. In the pop-up Edit Access Rule, click on the browse icon next to Security Group text box in the Destination Criteria.

g. In the pop-up Browse Security Group window



• << Remove security group name LOB_web_servers

• Add >> Existing Security Group Object Groups demo-SG-Obj-Group

• Click OK to close the pop-up Browse Security Group

h. Click OK to close the pop-up Edit Access Rule.

i. Click Apply to send the changes to ASA.

Step 6 Repeat Exercise 4 Step 7 to send traffic and verify the policies applied correctly.


Part 2: Intra-DC SGFW Enforcement with ASA EDCS-1224105


Part 2: Intra-DC SGFW Enforcement with ASA

Logical Topology

Part 2 covers a use case of using ASA to segment server-‐to-‐server communication within a data center network. The goal is to allow a specific group of servers (LOB_web_servers) to access the data on another (LOB_db_servers). ASA enforcement may be in either routed or transparent/bridge mode, or in either single or multiple contexts. An ASA context in transparent mode is used in this part of exercises.

Lab Exercise 6: Intra-DC – Configure Network Devices and Security Groups in ISE EDCS-1224105


Lab Exercise 6: Intra-DC – Configure Network Devices and Security Groups in ISE

Exercise Description This lab covers the ISE configurations to prepare ASA context cx-lob for RADIUS authentication and retrieving TrustSec™ environment data. It also provisions the security groups used for Intra-DC accesses.

Exercise Objective In this exercise, your goal is to configure ASA as a network device in ISE so that it may receive TrustSec security groups. This includes completion of the following tasks:

• Create a network device for ASA context cx-lob

• Create TrustSec security groups

Step 1 Access the ISE administrative web interface.

a. Login https://ise-1.demo.local as admin / ISEisC00L Note: Accept/Confirm any browser certificate warnings if present.

Step 2 Add an ASA context cx-lob as a Network Access Device

a. Navigate to Administration > Network Resources > Network Devices

b. Click Add with the values shown in the following table:

Attribute Value Name cx-lob (see Note 1) Description - IP Address 10.1.129.2 / 32 Model Name - Software Version - Device Type ASA Location GOLD-Lab þ Advanced TrustSec Settings Device Authentication Settings Use Device ID for SGA þ

Device Id cx-lob Password Anything (see Note 2)

SGA Notifications and Updates Download environment data

every 1 Days

Download peer authorization policy every 1 Days

Reauthentication every 1 Days Download SGACL lists every 1 Days

Other SGA devices to trust the device þ

Notify this device about SGA ¨

Lab Exercise 6: Intra-DC – Configure Network Devices and Security Groups in ISE EDCS-1224105


Attribute Value configuration changes

Device Configuration Deployment (None configured) Out Of Band (OOB) SGA PAC

Issue Date Expiration Date

Issue By Generate PAC

Note 1: The Name (Device ID) must be the same as that of the context name in ASA. It is included in the PAC for ASA to authenticate and retrieve the SG table from ISE. Note 2: The device password is not used because ASA supports only OOB PAC provisioning but needs to be a valid and non-empty string in order to save the NAD object.

c. In the section Out Of Band (OOB) SGA PAC, click Generate PAC. In the pop-up dialog box, input ISEisC00L as the Encryption Key.

Identity cx-lobEncryption Key ISEisC00L PAC Time to Live 1 Years

Note: ASA uses this encryption key to import the PAC securely (Lab Exercise 2 Step 6).

d. Click on Generate PAC and save the resulting pac file to the default Downloads folder.

e. Click Submit when finished. Note: If Submit does not work, log off and back into the ISE admin web interface and repeat Step 2 again.

Step 3 Create Security Groups

a. Go to Policy > Policy Elements > Results. In the left-hand-side panel, select Security Group Access > Security Groups.

Note: ISE assigns SGT automatically by default. To manually assign SGTs, go to Administration > System > Settings, select Security Group Access in the left-hand-side panel, and then select All tags are manually defined in the right panel.

b. Add security group LOB_db_servers


ii. Input LOB_db_servers into the Name field.


c. The resulting Name-SGT table shall be similar to below:

Name SGT (Dec /Hex) Unknown 0 / 0000 LOB_web_users 2 / 0002 LOB_web_servers 3 / 0003 LOB_db_servers 4 / 0004

You are now done preparing the ISE for the ASA context cx-lob to download the TrustSec environment data.


Lab Exercise 7: Intra-DC – Configure ASA to download Security Group table EDCS-1224105


Lab Exercise 7: Intra-DC – Configure ASA to download Security Group table

Exercise Description This exercise will show how to enable an ASA context to download the security group (name-to-tag) table from ISE.

Exercise Objective In this exercise, your goal is to work a transparent context in ASA and configure it to download TrustSec Security Group table from ISE:

• Create an AAA server group and designate it as the TrustSec server

• Import PAC and verify SG table download

Step 1 If disconnected, restart the putty ssh session to asa with the credentials admin / ISEisC00L

Step 2 At the prompt, enter the CLI command enable then give ISEisC00L as the enable password.

asa/cx-admin> enable Password: ISEisC00L asa/cx-admin#

Step 3 Change to the context cx-lob by CLI command changeto context cx-lob

asa# changeto context cx-lob asa/cx-lob#

Step 9 Review the running-config of the network interfaces and routing with the following CLI commands in configuration mode:

show run interface show run route

asa/cx-lob# show run interface ! interface BVI1 ip address 10.1.129.2 255.255.255.0 ! interface GigabitEthernet0/2 nameif web bridge-group 1 security-level 8 ! interface GigabitEthernet0/3 nameif db bridge-group 1 security-level 9 asa/cx-lob# show run route route web 0.0.0.0 0.0.0.0 10.1.129.1 1

Step 4 Add AAA server group and host and designate it as the cts server group with the following CLI commands in configuration mode:

aaa-server ts-ise protocol radius aaa-server ts-ise (web) host 10.1.100.21 authentication-port 1812 accounting-port 1813 cts server-group ts-ise

Lab Exercise 7: Intra-DC – Configure ASA to download Security Group table EDCS-1224105


asa/cx-lob# configure terminal asa/cx-lob(config)# aaa-server ts-ise protocol radius asa/cx-lob(config-aaa-server-group)# aaa-server ts-ise (web) host 10.1.100.21 asa/cx-lob(config-aaa-server-host)# authentication-port 1812 asa/cx-lob(config-aaa-server-host)# accounting-port 1813 asa/cx-lob(config-aaa-server-host)# cts server-group ts-ise asa/cx-lob(config)# end asa/cx-lob#

Step 5 On admin-PC, move the cx-lob.pac file from admin’s Downloads folder to C:\inetpub\ftproot\. Then, proceed to import it at ASA:

cts import-pac ftp://10.1.100.6/cx-lob.pac password ISEisC00L

asa/cx-lob# cts import-pac ftp://10.1.100.6/cx-lob.pac password ISEisC00L !PAC Imported Successfully

Step 6 Check PAC data and verify environment-data and SG table by: show cts pac show cts environment-data show cts environment-data sg-table

asa/cx-lob# show cts pac PAC-Info: Valid until: Aug 25 2013 23:42:16 AID: 0215c9b539f4f2f56a716ea5d4a04132 I-ID: cx-lob A-ID-Info: ise demo PAC-type: Cisco Trustsec PAC-Opaque: ...

Note: The initiator identifier (I-ID) is cx-lob and A-ID-Info is ise demo. The authority identifier (A-ID) is configured in Lab Exercise 1 Step 2. And, I-ID in Lab Exercise 6 Step 2.

asa/cx-lob# show cts environment-data CTS Environment Data ==================== Status: Active Last download attempt: Successful Environment Data Lifetime: 86400 secs Last update time: 04:00:14 UTC Aug 27 2012 Env-data expires in: 0:23:58:34 (dd:hr:mm:sec) Env-data refreshes in: 0:23:48:34 (dd:hr:mm:sec)

Note: If the download fails, check ISE live log and the NAD configuration for ASA.

asa/cx-lob# show cts environment-data sg-table Security Group Table: Valid until: 04:00:14 UTC Aug 28 2012 Showing 6 of 6 entries SG Name SG Tag Type ------- ------ ------------- ANY 65535 unicast LOB_db_servers 4 unicast LOB_web_servers 3 unicast LOB_web_users 2 unicast Unknown 0 unicast

This ASA context has now the TrustSec security group name-to-tag mapping. We will use it in ACL in later exercises.


Lab Exercise 8: Intra-DC – Configure SXP in Network Devices EDCS-1224105


Lab Exercise 8: Intra-DC – Configure SXP in Network Devices Exercise Description

In this exercise you will establish the SXP communication between the ASA context cx-lob and 3k-data.


• Configure ASA context cx-lob as the SXP listener to peer with the switch 3k-data

• Configure the switch 3k-data as the SXP peer for the ASA context cx-ent

Step 1 Configure cx-lob as the SXP listener

a. Back in the SSH session to the context cx-lob of ASA, provision the SXP connectivity with the following CLI commands in configuration mode:

! set SXP default password cts sxp default password ISEisC00L ! peer 10.1.129.3 – 3k-data SVI for VLAN 129 cts sxp connection peer 10.1.129.3 password default mode local listener cts sxp enable

asa/cx-lob# configure terminal asa/cx-lob(config)# cts sxp default password ISEisC00L asa/cx-lob(config)# cts sxp conn peer 10.1.129.3 password default mode local listener asa/cx-lob(config)# cts sxp enable asa/cx-lob(config)# end asa/cx-lob#

Step 2 Configure SXP on 3k-data


b. Provision the SXP connectivity with the following CLI commands in configuration mode: ! peer 10.1.129.2 – asa/cx-lob web IP cts sxp connection peer 10.1.129.2 password default mode local

Note: SXP default password is set and the SXP service enabled previously in Part 1 Exercise 3 Step 3.

3k-data# configure terminal Enter configuration commands, one per line. End with CNTL/Z. 3k-data(config)#cts sxp conn peer 10.1.129.2 password default mode local 3k-data(config)#end 3k-data#


3k-data# show cts sxp connections brief SXP : Enabled Default Password : Set Default Source IP: Not Set Connection retry open period: 120 secs

EDCS-1224105


Reconcile period: 120 secs Retry open timer is running ----------------------------------------------------------------------------- Peer_IP Source_IP Conn Status Duration ----------------------------------------------------------------------------- 10.1.129.1 10.1.129.3 On 3:10:35:23 (dd:hr:mm:sec) 10.1.129.2 10.1.129.3 On 0:00:38:33 (dd:hr:mm:sec) Total num of SXP Connections = 2 3k-data#

This ASA context cx-lob has now peered with 3k-data and shall get the IP-SGT mapping from it.


Lab Exercise 8: Intra-DC – Source and Destination IP-SGT EDCS-1224105


Lab Exercise 8: Intra-DC – Source and Destination IP-SGT

Exercise Description This exercise will show the switch 3k-data forwards its IP-SGT mappings to the ASA context cx-lob and the ASA uses the security groups to enforce server-to-server communications.


• Provision static IP-SGT binding on 3k-data.

• Configure ASA ACL with security-group.

Step 1 Configure static IP-SGT binding on 3k-data


b. Provision the static IP-SGT binding with the following CLI command in configuration mode: ! map a db server ip address to SGT LOB_db_servers (tag=4) cts role-based sgt-map 10.1.129.20 sgt 4

3k-data# configure terminal Enter configuration commands, one per line. End with CNTL/Z. 3k-data(config)#cts role-based sgt-map 10.1.129.20 sgt 4 3k-data(config)#end 3k-data#

c. Verify the static IP-SGT binding with the following CLI command in exec mode show cts role-based sgt-map all

3k-data# show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ============================================ 10.1.129.8 3 CLI ... 10.1.129.20 4 CLI IP-SGT Active Bindings Summary ============================================ Total number of CLI bindings = 6 Total number of active bindings = 6

Step 2 Configure an ACL on ASA context cx-lob

a. Back in the SSH session to the context cx-lob of ASA, add an ACL and apply it to the interface web with the following CLI commands in configuration mode:

! add an ACL ! This ACL has only one ACE and all in one-line. access-list web_in extended permit tcp security-group name LOB_web_servers any security-group

name LOB_db_servers any eq 3306 log ! Apply it to web access-group web_in in interface web



asa/cx-lob# configure terminal asa/cx-lob(config)# access-list web_in extended permit tcp security-group name LOB_web_servers any security-group name LOB_db_servers any eq 3306 log asa/cx-lob(config)# access-group web_in in interface web asa/cx-lob(config)# end asa/cx-lob#

b. Verify the SG name-to-tag mapping with the following CLI command: show access-list web_in

asa/cx-lob# show access-list web_in access-list web_in; 2 elements; name hash: 0x732a90f6 access-list web_in line 1 extended permit tcp security-group name LOB_web_servers(tag=3) any security-group name LOB_db_servers(tag=4) any eq 3306 log informational interval 300 (hitcnt=0) 0x8193d619 asa/cx-lob#

Note: LOB_web_servers and LOB_db_servers are both associated with tag numbers in parentheses.

c. Configure buffered logging to see ACE hits in later steps. logging buffered informational logging timestamp logging enable

asa/cx-lob# configure terminal asa/cx-lob(config)# logging buffered informational asa/cx-lob(config)# logging timestamp asa/cx-lob(config)# logging enable asa/cx-lob(config)# end asa/cx-lob#

Step 3 Test on w7pc-guest

a. Switch back to the console of w7pc-guest via the VMware client.

b. If needed, login again at Windows as admin / ISEisC00L

c. If the network connection disconnected, re-authenticate using either Wired or Wireless as in Exercise 4 Step 8 or 9.

d. Launch Mozilla Firefox browser, go to http://web.demo.local, and, if needed, re-authenticate to the web site as admin / ISEisC00L

e. At the CTS DB Test login page, enter the following info before hitting Go

Log in Username: admin Password: ISEisC00L Server Choice TS TEST DB

f. Check the hit counts of ASA access-list

ASA will show the hit count (hitcnt) increasing for the matched entry.

asa/cx-lob# show access-list web_in ... access-list web_in line 1 extended permit tcp security-group name LOB_web_servers(tag=3) any security-group name LOB_db_servers(tag=4) any eq 3306 log informational interval 300 (hitcnt=3) 0x8193d619 asa/cx-lob# show logging | inc web_in ... %ASA-6-106100: access-list web_in permitted tcp app/10.1.129.12(43838)(4:LOB_web_servers) -> db/10.1.129.20(3306)(5:LOB_db_servers) hit-cnt 1 first hit [0x8193d619, 0x0] ...



g. Verify IP-SGT bindings on ASA that are learnt from all its peers and the accelerated security patch (ASP)

show cts sgt-map (Control Plane command) show asp table cts sgt-map (Data Path command)

asa/cx-lob# show cts sgt-map Active IP-SGT Bindings Information IP Address SGT Source ================================================================ 10.1.129.8 3 SXP ... 10.1.129.20 4 SXP IP-SGT Active Bindings Summary ============================================ Total number of SXP bindings = 6 Total number of active bindings = 6 Total number of shown bindings = 6 asa/cx-lob# show asp table cts sgt-map IP Address SGT ============================================== 10.1.129.8 3:LOB_web_servers ... 10.1.129.20 4:LOB_db_servers Total number of entries shown = 6 asa/cx-lob#

h. Verify IP-SGT bindings on ASA that are propagated via SXP

show cts sxp sgt-map detail

asa/cx-lob# show cts sxp sgt-map detail Total number of IP-SGT mappings : 6 Total number of IP-SGT mappings shown: 6 SGT : 3 IPv4 : 10.1.129.8 Peer IP : 10.1.129.1 Ins Num : 1 Status : Active ... SGT : 4 IPv4 : 10.1.129.20 Peer IP : 10.1.129.1 Ins Num : 1 Status : Active asa/cx-lob#

i. Power off w7pc-guest when done.

þ End of Exercise: You have successfully completed this exercise. Proceed to next section. þ End of Lab: Congratulations! You have successfully completed the lab. Please let your proctor know you finished and provide any feedback to help improve the lab experience.



Appendix A: Creating a transparent firewall context In this lab, all the ASA contexts are created in advance. For your reference, here are the steps to create the transparent context cx-lob:

Step 1 Change to the system space by CLI command changeto system

asa/cx-admin# changeto system asa#

Step 2 Create a new context cx-lob with the following CLI commands in configuration mode: context cx-lob allocate-interface GigabitEthernet0/2 allocate-interface GigabitEthernet0/3 config-url disk0:/cx-lob.cfg exit interface GigabitEthernet0/2 no shut interface GigabitEthernet0/3 no shut

asa# configure terminal asa(config)# context cx-lob Creating context 'cx-lob... Done. (5) asa(config-ctx)# allocate-interface GigabitEthernet0/2 asa(config-ctx)# allocate-interface GigabitEthernet0/3 asa(config-ctx)# config-url disk0:/cx-lob.cfg WARNING: Could not fetch the URL disk0:/cx-lob.cfg INFO: Creating context with default config asa(config)# interface gigabitEthernet 0/2 asa(config-if)# no shut asa(config-if)# interface gigabitEthernet 0/3 asa(config-if)# no shut asa(config)# end asa#

Step 3 Change to the new context cx-lob by CLI command changeto context cx-lob

asa# changeto context cx-lob asa/cx-lob#

Step 4 Update the firewall mode and the interfaces with the following CLI commands in configuration mode:

! Change to transparent mode firewall transparent ! interface BVI1 ip address 10.1.129.2 255.255.255.0 ! interface GigabitEthernet0/2 nameif web bridge-group 1 security-level 9 ! interface GigabitEthernet0/3 nameif db bridge-group 1 security-level 10 ! ! default gateway to ASA cx-ent’s web interface route web 0.0.0.0 0.0.0.0 10.1.129.1 1

asa/cx-lob# configure terminal asa/cx-lob(config)# firewall transparent asa/cx-lob(config)# interface BVI1 asa/cx-lob(config-if)# ip address 10.1.129.2 255.255.255.0 asa/cx-lob(config-if)# exit asa/cx-lob(config)# interface GigabitEthernet0/2 asa/cx-lob(config-if)# nameif web



asa/cx-lob(config-if)# brige-group 1 asa/cx-lob(config-if)# security-level 9 asa/cx-lob(config-if)# ! asa/cx-lob(config)# interface GigabitEthernet0/3 asa/cx-lob(config-if)# nameif db asa/cx-lob(config-if)# brige-group 1 asa/cx-lob(config-if)# security-level 10 asa/cx-lob(config-if)# ! asa/cx-lob(config-if)# route web 0.0.0.0 0.0.0.0 10.1.129.1 1 asa/cx-lob(config)# end asa/cx-lob#

ts sgfw-asa lab guide 2013-09-13

Documents