Thanks Marvin I will look

Chellis Dodge · ‎11-03-2014

Hello everyone,

I need some suggestions on how to use a Cisco ASA as a firewall between my Company's corporate and Industrial networks. Here's my situation.

We currently have our Corp and Industrial networks internet connected at our core switch,they are on separate VLANS. I want to place the firewall between the VLANS to prevent corporate users from being able to access the Industrial network. The exception is the engineers who need access from the corp network to troubleshoot issues on the industrial network. They use remote access tools such as RDP and VNC. In your minds what is the best way to deploy an ASA to allow these users past the firewall, they will be coming from a multitude of IP addresses on the corporate side which will constantly change depending on their location and connection path. I would like to tie their access to Active Directory OU's vs IP's so I think traditional ACL's are not going to cut it. Also, they will be VPN'ing into the network from home using Cisco Anyconnect to a different ASA on the border of our corporate network so my solution needs to be client-less once they get on the corporate network....any suggestions would be much appreciated.

Marvin Rhoads · ‎11-03-2014

Since ASA version 8.4 you can use user identity in access-lists.

There is a step-by-step guide posted here that helps show how to setup and use this feature.

It's a couple years old so it refers to the now-deprecated AD Agent. That bit is now replaced with the Context Directory Agent (CDA) software, available as a separate VM image.

Chellis Dodge · ‎11-03-2014

Thanks Marvin I will look into that and give it a try, appreciate it!

Need suggestions how to use an ASA firewall between corporate and industrial networks.