cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
987
Views
0
Helpful
1
Replies

ASA VPN SGT propagation of SGT/IP mapping to all corporate firewalls

MARK BAKER
Level 4
Level 4

When a user logs in through SSLVPN (Anyconnect) on an ASA and receives an SGT from ISE, is it possible to propagate the SGT/IP mapping to all other firewalls in the corporate network using SXP? I assume the SSLVPN ASA would be the SXP speaker and all other ASA firewalls would be listeners.

Is there any reason that you wouldn't want to do this or is it something that is commonly done? Any scaling issues (limit on SXP peers...)?

The goal is to assign an SGT to VPN users and enforce access control on firewalls throughout the corporate network based SGT/IP mapping propagated from the VPN firewall. I would prefer not to enable TrustSec on any other device in the network. I was originally going to do identity-based firewall with VPN users, but as far as I can tell it lacks the ability to enforce access by group in a centralized manner.

Thank you,

Mark

1 Reply 1

Hi, I have very similar question also.

 

Let's say, we have next topology:

web-srv<-->L2sw(cts_enforcement)<-->ISR_G2(inline_tagging)<-->ASA(Remote-access)<-->Inet

RA users authenticated via RADIUS by ISE, SGT tags are assigned as part of authorization.

 

I need ASA acts as SXP speaker in order to deliver RA user's SGT tags to ISR_G2, but this doesn't happen :(. I see sgt tags in "debug radius" on ASA, but these tags don't appear in local IP<->SGT binding database, therefore no SXP updates are triggered.

 

In accordance to trustsec compatibility matrix this functionality is supported (http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html).

ASA 5520, release 9.1.5

 

Thanks.

Review Cisco Networking for a $25 gift card