I thought I would post my configuration for sending traffic to the CX from the ASA CLI. In talking with TAC there are two schools of thought here; create a deny ACL blocking what you do not want filtered and then put a permit at the end or create a permit ACL with what you want filtered then a deny to prevent all other traffic from being sent to the CX. The latter makes more sense to me so that is the route I go.
First I create an object group with the internal networks. In this example I'll be sending all private address spaces (per RFC1918) to CX.
object-group network RFC1918
description RFC1918 Private IPv4 Address Space
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
Now for the ACL. I'll be sending any traffic that has an RFC1918 source address destined to anywhere on TCP port 80 or 443 to the CX.
access-list ACL-CX-FILTER extended permit tcp object-group RFC1918 any eq www
access-list ACL-CX-FILTER extended permit tcp object-group RFC1918 any eq https
Next we create the Class Map that we will be putting in the Policy Map. We tell the Class Map to look at the ACL we just created.
match access-list ACL-CX-FILTER
Finally we add the Class Map to the Policy Map.
cxsc fail-open auth-proxy
You can also do this in PRSM, but I found that it creates a somewhat-goofy naming scheme so I prefer to do it myself. Hope it helps.
Hello, Do we have any options in cisco ISE to identify, which certificates has been used by endpoint to get authenticated.Is there anyways in pulling report based on above mentioned statement. CISCO ISE 2.4 patch 10 Thanks and regards ...
We are rolling out 802.1x to an Industrial Manufacturer. Our maintenance windows are rather tight for the production floor, and we have a deadline for full TrustSec deployment by April 2020. For these reasons we are deploying in what we are cal...
There's a lot of material published about Threat Response, in places like http://cisco.com/go/threatresponse - but something I get asked by users is what can they do, to proactively stay informed and up to date? We are adding new integrations and new feat...
hi All, I need someone to confirm one thing about deployment for 9 PSNs. I remember from most of the presentations that whenever you have more than 5 PSN you need to split PAN from MnT so how to interpret the following pictures? ...
Hello, If I want to use MAB on a bunch of devices from the same manufacturer that can;t do 802.1x can I create just a single MAB policy and have all the devices hit that policy or whi I have to enter every actual MAC address for each device?&nb...