This document describes how to use the feature implemented in the Adaptive Security Appliance (ASA) Release 9.3.1 - TrustSec Inline Tagging. That feature allows ASA to receive TrustSec frames as well as to send them. This way ASA can be easily integrated within TrustSec domain without the need to use TrustSec SGT Exchange Protocol (SXP).
This example presents remote VPN user which have been assigned Security Group Tag (SGT) tag = 3 (Marketing) and 802.1x user which have been assigned SGT tag = 2 (Finance). Traffic enforcement is performed by both ASA with the use of Security Group Access Control List (SGACL) defined locally and Cisco IOS® switch using Role Based Access Control List (RBACL) downloaded from Identity Services Engine (ISE).
Cisco recommends that you have knowledge of these topics:
ASA CLI configuration and Secure Socket Layer (SSL) VPN configuration
Remote access VPN configuration on the ASA
ISE and TrustSec services
The information in this document is based on these software versions:
Cisco ASA software, version 9.3.1 and later
Cisco ASA hardware 55x5 or ASAv
Windows 7 with Cisco AnyConnect Secure Mobility Client, release 3.1
Cisco Catalyst 3750X switch with software 15.0.2 and later
Connection between ASA and 3750X is configured for manual cts. That means both devices can send and receive modified Ethernet frames with Cisco Metadata Field (CMD). That field includes Security Group Tag (SGT) which describes the source of the packet.
Remote VPN user terminates SSL session on ASA and is assigned SGT tag 3 (Marketing).
Local corporate 802.1x user after successful authentication has been assigned SGT tag 2 (Finance).
ASA has SGACL configured on the inside interface that allows for ICMP traffic initiated from Finance to Marketing.
ASA permits all the traffic initiated from remove VPN user (because of "sysopt connection permit-vpn" configuration).
SGACL on ASA is stateful which means that once the flow is created, return packet is accepted automatically (based on the inspection).
3750 switch uses RBACL in order to control the traffic received from Marketing to Finance.
RBACL is stateless which means that every packet is checked but TrustSec enforcement on 3750X platform is performed at the destination. This way switch is responsible for enforcement of the traffic from Marketing to Finance.
Note: For Trustsec aware stateful firewall on Cisco IOS® Zone Based Firewall can be used, For example, refer:
Navigate to Policy > Results > Security Group Access > Security Groups and create SGT for Finance and Marketing as shown in this image.
2. Security Group ACL for Traffic Marketing > Finance
Navigate to Policy > Results > Security Group Access > Security Group ACL and create ACL which is used to control traffic from Marketing to Finance. Only tcp/445 is allowed as shown in this image.
3. Binding ACL in Matrix
Navigate to Policy > Egress Policy > Matrix bind configured ACL for the Source: Marketing and Destination: Finance. Also attach Deny IP as the last ACL to drop all other traffic as shown in the image. (without that default policy will be attached, default is permit any)
Navigate to Policy > Authorization and create a rule for remote VPN access. All VPN connections established via AnyConnect 4.x client will get full access (PermitAccess) and will be assigned SGT tag 3 (Marketing). The condition is to use AnyConnect Identity Extentions (ACIDEX):
Rule name: VPN Condition: Cisco:cisco-av-pair CONTAINS mdm-tlv=ac-user-agent=AnyConnect Windows 4 Permissions: PermitAccess AND Marketing
Navigate to Policy > Authorization and create a rule for 802.1x access. Supplicant terminating 802.1x session on 3750 switch with username cisco will get full access (PermitAccess) and will be assigned SGT tag 2 (Finance).
For switch that uses automatic PAC provisioning, a correct secret must be set, as shown in this image.
Note: PAC is used to authenticate ISE and download environment data (eg. SGT) along with policy (ACL). ASA supports only environment data, policies needs to be manually configured on ASA. Cisco IOS® supports both, so the policies can be downloaded from ISE.
ASA - Configuration Steps
1. Basic VPN Access
Configure basic SSL VPN access for AnyConnect using ISE for authentication.
aaa-server ISE protocol radius aaa-server ISE (inside) host 10.62.145.41 key cisco
ASA is able to send and receive TrustSec frames (ethernet frames with CMD field). ASA assumes that all ingress frames without a tag must be treated as with the tag 100. All the ingress frames which already include the tag will be trusted.
Switch - Configuration Steps
1. Basic 802.1x
aaa authentication dot1x default group radius aaa authorization network default group radius
bsns-3750-5#cts credentials id 3750-5 password ciscocisco
Again, password must match with the corresponding configuration on ISE (Network Device > Switch > TrustSec). Right now, Cisco IOS® initiates EAP-FAST session with ISE in order to get the PAC. More detail on that process can be found here:
There is incoming ICMP echo request tagged with SGT = 2 (Finance) and then a response from VPN user which is tagged by ASA with SGT = 3 (Marketing). Another troubleshooting tool, packet-tracer is also TrustSec ready.
Unfortunately, 802.1x PC does not see that answer because it's blocked by stateless RBACL on the switch (explanation in the next section).
Another troubleshooting tool, packet-tracer is also TrustSec ready. Let's confirm if incoming ICMP packet from Finance will be accepted:
BSNS-ASA5512-4# packet-tracer input inside icmp inline-tag 2 192.168.1.203 8 0 192.168.100.50 Mapping security-group 3:Marketing to IP address 192.168.100.50
Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list
Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list
Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.48.66.1 using egress ifc outside
Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside in interface inside access-list inside extended permit icmp security-group name Finance any security-group name Marketing any Additional Information:
<some output omitted for clarity>
Phase: 13 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 4830, packet dispatched to next module
Result: input-interface: inside input-status: up input-line-status: up output-interface: NP Identity Ifc output-status: up output-line-status: up Action: allow
Let's also try to initiate any TCP connection from Finance to Marketing, that must be blocked by the ASA:
Let's verify if the switch has downloaded policies from ISE correctly:
bsns-3750-5#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 2:Finance to group Unknown: test_deny-30 IPv4 Role-based permissions from group 8 to group Unknown: permit_icmp-10 IPv4 Role-based permissions from group Unknown to group 2:Finance: test_deny-30 Permit IP-00 IPv4 Role-based permissions from group 3:Marketing to group 2:Finance: telnet445-60 Deny IP-00 RBACL Monitor All for Dynamic Policies : FALSE RBACL Monitor All for Configured Policies : FALSE
Policy that controlls the traffic from Marketing to Finance is installed correctly. Only tcp/445 is allowed as per RBACL:
bsns-3750-5#show cts rbacl telnet445 CTS RBACL Policy ================ RBACL IP Version Supported: IPv4 name = telnet445-60 IP protocol version = IPV4 refcnt = 2 flag = 0x41000000 stale = FALSE RBACL ACEs: permit tcp dst eq 445
That is the reason why ICMP echo response that comes from Marketing to Finance has been dropped. That can be confirmed by checking the counters for traffic from SGT 3 to SGT 2:
bsns-3750-5#show cts role-based counters Role-based IPv4 counters # '-' in hardware counters field indicates sharing among cells with identical policies From To SW-Denied HW-Denied SW-Permitted HW-Permitted
* * 0 0 223613 3645233
0 2 0 0 0 122
3 2 0 65 0 0
2 0 0 0 179 0
8 0 0 0 0 0
Packets has been dropped by hardware (current counter is 65 and increasing every 1 second).
What if tcp/445 connection is initiated from Marketing?
ASA allows that (accepts all VPN traffic because of "sysopt connection permit-vpn"):
Built inbound TCP connection 4773 for outside:192.168.100.50/49181 (192.168.100.50/49181)(LOCAL\cisco, 3:Marketing) to inside:192.168.1.203/445 (192.168.1.203/445) (cisco)
The correct session is created:
BSNS-ASA5512-4(config)# show conn all | i 192.168.100.50 TCP outside 192.168.100.50:49181 inside 192.168.1.203:445, idle 0:00:51, bytes 0, flags UB
And, Cisco IOS® accepts it since it matches telnet445 RBACL. The correct counters increases:
bsns-3750-5#show cts role-based counters from 3 to 2 3 2 0 65 0 3
(last column is traffic permitted by the hardware). The session is permitted.
This example is presented on purpose in order to show the difference in TrustSec policies configuration and enforcement on ASA and Cisco IOS®. Be aware of the differences of Cisco IOS® policies downloaded from ISE (stateless RBACL) and TrustSec aware stateful Zone Based Firewall.