Lab Overview EDCS-1224105

TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 1 of 42

Cisco TrustSec Secure Group
Firewall with ASA Lab Guide
Developers and Lab Proctors
This lab is created by SAMPG TME teams.
Lab Overview
This lab is designed to help attendees understand the basics in deploying Cisco TrustSec Security
Group Firewall (SGFW) with Adaptive Security Appliance (ASA) and Identity Services Engine (ISE). Lab
participants should be able to complete the lab within the allotted time of 3 hours.
Lab Exercises
This lab guide includes the following exercises:
Part 1 Campus-to-DC SGFW Enforcement with ASA
Lab Exercise 1 : Campus-to-DC Configure Network Devices and Security Groups in ISE
Lab Exercise 2 : Campus-to-DC Configure ASA to download Security Group table
Lab Exercise 3 : Campus-to-DC Configure SXP in Network Devices
Lab Exercise 4 : Campus-to-DC Source and Destination IP-SGT
Lab Exercise 5 : Campus-to-DC Use ASDM to interact with ASA TrustSec features

Part 2 Intra-DC SGFW Enforcement with ASA
Lab Exercise 6 : Intra-DC Configure Network Devices and Security Groups in ISE
Lab Exercise 7 : Intra-DC Configure ASA to download Security Group table
Lab Exercise 8 : Intra-DC Configure SXP in Network Devices
Lab Exercise 9 : Intra-DC Source and Destination IP-SGT

Product Overview EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 2 of 42
Product Overview

The Cisco Secure Access and TrustSec is the Borderless Network access control solution, providing
visibility into and control over devices and users in the network.
Within this solution, Cisco Identity Service Engine (ISE) is a context aware identity-based platform that
gathers real-time information from the network, users, and devices. ISE then uses this information to
make proactive governance decisions by enforcing policy across the network infrastructure utilizing built
in standard based controls. Cisco ISE offers:
Security: Secures your network by providing real-time visibility into and control over the users and
devices on your network.
Compliance: Enables effective corporate governance by creating consistent policy across an
infrastructure.
Efficiency: Helps increase IT and network staff productivity by automating traditionally labor-intensive
tasks and streamlining service delivery.
Enablement: Allows IT to support a range of new business initiatives, such as bring your own device
(BYOD), through policy-enabled services.

Lab Topology

Lab IP and VLANs EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 3 of 42
Lab IP and VLANs
Internal IP Addresses

Internal VLANs and IP Subnets
Device Name/Hostname IP Address
Access Switch (3560X) 3k-access.demo.local 10.1.100.1
Data Center Switch (3560CG) 3k-data.demo.local 10.1.129.3
Wireless LAN Controller (2504) wlc.demo.local 10.1.100.61
Wireless Access Point (2602i) ap.demo.local 10.1.90.x/24 (DHCP)
ASA (5515-X) asa.demo.local 10.1.100.2
ISE Appliance ise-1.demo.local 10.1.100.21
ISE Feed Server ise-feedserver.demo.local 10.1.100.41
AD (AD/CS/DNS/DHCP) ad.demo.local 10.1.100.10
NTP Server ntp.demo.local 128.107.212.175
MobileIron mobileiron.demo.local 10.1.100.15
Mail mail.demo.local 10.1.100.40
LOB Web lob-web.demo.local
portal.demo.local, updates.demo.local
business.demo.local
it.demo.local
records.demo.local
10.1.129.12
10.1.129.8
10.1.129.9
10.1.129.10
10.1.129.11
LOB DB lob-db.demo.local 10.1.129.20
Admin (Management) Client
(also FTP Server)
admin.demo.local
ftp.demo.local
10.1.100.6
Windows 7 Client PC w7pc-guest.demo.local 10.1.50.x/24 (DHCP)
VLAN VLAN Name IP Subnet Description
10 ACCESS 10.1.10.0/24 Authenticated users or access network using ACLs
20 MACHINE 10.1.20.0/24 Microsoft machine-authenticated devices (L3
segmentation)
(29) IC-ASA-ACCESS 10.1.29.0/24 Interconnect subnet between ASA and Access switch
30 QUARANTINE 10.1.30.0/24 Unauthenticated or non-compliant devices (L3
segmentation)
40 VOICE 10.1.40.0/24 Voice VLAN
50 GUEST 10.1.50.0/24 Network for authenticated and compliant guest users
90 AP 10.1.90.0/24 Wireless AP VLAN
Connecting to Lab Devices EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 4 of 42

Note: Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity,
profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. The labs will
focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement.
Accounts and Passwords


Connecting to Lab Devices
Note: To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for
access to all the other lab components
Note: Admin PC access is through RDP, therefore you must have an RDP client installed on your computer

Connect to a POD
Step 1 Launch the Remote Desktop application on your system.
a. In the LabOps student portal, click on the Topology tab.
b. Click on the Admin PC, and then click on the RDP Client option that appears.
VLAN VLAN Name IP Subnet Description
100 Management 10.1.100.0/24 Network services (AAA, AD, DNS, DHCP, etc.)
129 WEB 10.1.129.0/24 Line-of-business Web servers
130 DB 10.1.130.0/24 Line-of-business Database servers
Access To Account (username/password)
Access Switch (3560X)
admin / ISEisC00L
Data Center Switch (3560X)
admin / ISEisC00L
Wireless LAN Controller (2504)
admin / ISEisC00L
ASA (5515-X)
admin / ISEisC00L
ISE Appliances
admin / ISEisC00L
AD (CS/DNS/DHCP/DHCP)
admin / ISEisC00L
Web Servers
admin / ISEisC00L
Admin (Management) Client
admin / ISEisC00L
Windows 7 Client
(Local = W7PC-guest or W7PC-corp)
(Domain = DEMO)
W7PC-guest\admin / ISEisC00L
DEMO\admin / ISEisC00L
DEMO\employee1 / ISEisC00L
Connecting to Lab Devices EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 5 of 42
c. Clicking on this option should launch your RDP client and connect you to the Admin PC.
Login as admin / ISEisC00L
Note: All lab configurations can be performed from the Admin PC.
Note: If the lab is manually delivered, the lab proctors will provide the access info.

Connect to ESXi Server and Virtual Machines
During the lab exercises, you may need to access and manage the computers running as virtual
machines.
Step 1 From the Admin client PC, click the VMware vSphere Client icon on the desktop
Step 2 Once logged in, you will see a list of VMs that are available on your ESXi server:

Step 3 You have the ability to power on, power off, or open the console (view) these VMs. To do so,
place the mouse cursor over VM name in the left-hand pane and right-click to select one of
these options.





Step 4 To access the VM console,
select Open Console from the
drop-down.



Pre-Lab Setup Instructions EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 6 of 42
Step 5 To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console menu:

Connect to Lab Devices
To access the command line interfaces (CLI) of the lab switches, ISE servers, and others using SSH:
Step 1 From the Admin client PC, right click on the
PuTTY shortcut in the taskbar. Then, select
SSH, Telnet and Rlogin client from the pop-
up menu.
Step 2 If the device name present in the saved
sessions, then double click on the saved
session item that matches the device name
(e.g, ise-1). If not, input the hostname or IP
address of the desired device in the Host
Name (or IP address) and click Open.

Step 3 If prompted, click Yes to cache the server
host key and to continue login.
Step 4 Login using the credentials listed in the
Accounts and Passwords table.

Pre-Lab Setup Instructions
Basic Connectivity Test
To perform a basic connectivity test for the primary lab devices, run the pingtest.bat
script from the Windows desktop of the Admin client PC:
Verify that ping succeeds for all devices tested by script.
Note: The ping test may fail for VMs that have not yet completed the boot process.

Pre-Lab Setup Instructions EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 7 of 42
Basic ISE Configuration
Step 1 Access the ISE administrative web interface.
At Admin PC, launch Mozilla Firefox web browser. Enter this URL in the address bar:
https://ise-1.demo.local/
Note: Accept/Confirm any browser certificate warnings if present.








Login with username admin and password !"#$%&!!'
Step 2 Join to the Active Directory.
a. Go to Administration > Identity Management > External Identity Sources.
b. Pick Active Directory from the left-hand-side panel, and select ise-1 in the right-hand-side
connection tab.
c. Click Join with AD domain admin credentials: administrator / ISEisC!!L





Note: If the join fails due to clock skew, use putty ssh to ise-1 admin CLI and issue show ntp and show clock to check if the ntp
service is working. The ntp service may be corrected by a reload of ise-1 or a reset the VM.
Step 3 Disable log collection suppression
Starting from ISE 1.2, the log suppression is on by default to reduce monitoring data storage. In
order to see all log entries during troubleshooting, the suppression can be disabled either
globally or selectively per collection filters. In this lab, we will disable it globally, as shown in (a)
below.
a. Disable suppression globally
i. Go to Administration > System >
Settings, expand on Protocols, and
select RADIUS.
ii. Un-toggle the checkboxes Suppress
Anomalous Clients and Suppress
Repeated Successful
Authentications.

Pre-Lab Setup Instructions EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 8 of 42
iii. Click Save when done.
b. (For reference only) Disable suppression per collection filter
i. Go to Administration > System > Logging, expand on Collection Filters, and click on
Add for a new filter.
ii. Select an attribute from the drop-down menu.
iii. Enter a value to match the attribute in (ii).
iv. Select Disable Suppression from the drop-down menu.
v. Click Submit.


Part 1: Campus-to-DC SGFW Enforcement with ASA EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 9 of 42
Part 1: Campus-to-DC SGFW Enforcement with
ASA

Logical Topology


arL 1 covers a common use case of uslng ASA Lo gauge Lhe neLwork accesses from a campus neLwork Lo
a daLa cenLer neLwork. 1he goal ls Lo allow a speclflc group of users (LC8_web_users) ln Lhe campus Lo
reach Lhe web slLes lnslde Lhe daLa cenLer. ASA enforcemenL may be ln elLher rouLed or LransparenL
mode, and ln elLher slngle or mulLlple conLexLs. An ASA conLexL ln rouLed mode ls presenLed here.

Lab Exercise 1: Campus-to-DC Configure Network Devices and Security Groups in ISE EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 10 of 42

Lab Exercise 1: Campus-to-DC Configure
Network Devices and Security Groups in ISE

Exercise Description
This lab exercise covers the ISE configurations to prepare network devices for RADIUS
authentication and for retrieval of Cisco TrustSec environment data. It also provisions the
security groups for Campus-to-DC access control.
Exercise Objective
In this exercise, your goal is to configure ASA as a network device, in receiving Cisco TrustSec
environment data, in additions to the access level switch and WLC. This includes completion of
the following tasks:
Update the authority ID in EAP-FAST settings
Verify the existing network devices 3k-access and wlc
Add an ASA (context) as a new network device
Create TrustSec security groups

Step 4 Access the ISE administrative web interface.
a. On Admin PC, launch Mozilla Firefox web browser. Enter this URL in the address bar:
https://ise-1.demo.local/
Note: Accept/Confirm any browser certificate warnings if present.

b. Login with username admin and password ISEisC00L. The ISE Dashboard should
display. Navigate the interface using the multi-level menus.

Lab Exercise 1: Campus-to-DC Configure Network Devices and Security Groups in ISE EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 11 of 42
Step 5 Update EAP-FAST A-ID
a. Navigate to Administration > System > Settings. From there, go to Protocols > EAP-
FAST > EAP FAST Settings.
b. In the text box next to Authority
Identity Info Description, change the
text to ise demo.
This will appear as part of PAC in later
exercises. It should be a unique string to
identify the ISE deployment that
distributes the PAC files.
c. Click Save.

Step 6 Verify the Wireless LAN Controller configured as a Network Access Device in ISE
a. Navigate to Administration > Network Resources > Network Devices
b. Under Network Devices in the right-hand panel, select wlc.
c. Check this network device pre-configured with the values shown in the following table:
Attribute Value
Name wlc
Description -
IP Address 10.1.100.61 / 32
Model Name -
Software Version -
Device Type WLC
Location GOLD-Lab
! Authentication Settings
Protocol RADIUS
Shared Secret ISEisC00L
d. Update as needed and click Save when finished.

Step 7 Verify the access switch 3k-access configured as a Network Access Device in ISE
a. Go back up to the Network Device List
at Administration > Network
Resources > Network Devices by
clicking on its breadcrumb hyperlink

b. Under Network Devices in the right-hand panel, select 3k-access.

Lab Exercise 1: Campus-to-DC Configure Network Devices and Security Groups in ISE EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 12 of 42
c. Check this network device is preconfigured with the values shown in the following table:
Attribute Value
Name 3k-access
Description -
IP Address 10.1.100.1 / 32
Model Name -
Software Version -
Device Type IOS-SW
Location GOLD-Lab
! Authentication Settings
Protocol RADIUS
Shared Secret ISEisC00L
d. Update as needed and click Save when finished.
Step 8 Add an ASA context cx-ent as a Network Access Device in ISE
a. Go back up to the Network Device List
at Administration > Network
Resources > Network Devices by
clicking on its breadcrumb hyperlink

b. In the toolbar area, click on the botton Add and enter the values for the new device as
shown in the following table:
Attribute Value
Name cx-ent
(see Note 1)

Description -
IP Address 10.1.29.1 / 32
Model Name -
Software Version -
Device Type ASA
Location GOLD-Lab
! Advanced TrustSec Settings
Device Authentication Settings
Use Device ID for SGA !
Device Id cx- ent
Password Anything
(see Note 2)

SGA Notifications and Updates
Download environment data
every
1 Days
Download peer authorization
policy every
1 Days
Reauthentication every 1 Days
Download SGACL lists every 1 Days
Other SGA devices to trust the
device
!
Notify this device about SGA
configuration changes
"
Device Configuration Deployment
(None configured)
Lab Exercise 1: Campus-to-DC Configure Network Devices and Security Groups in ISE EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 13 of 42
Attribute Value
Out Of Band (OOB) SGA PAC
Issue Date
Expiration Date
Issue By
Generate PAC
Note 1: The Name (Device ID) must be the same as the context name in ASA, which we will review in Lab Exercise 2. It is included
in the PAC for ASA to authenticate and retrieve the SG table from ISE
Note 2: The device password is not used because ASA supports only OOB PAC provisioning but needs to be a valid and non-
empty string in order to save the NAD object.
c. In the section Out Of Band (OOB) SGA PAC, click Generate PAC. In the pop-up dialog
box, input ISEisC00L as the Encryption Key.
Identity cx- ent
Encryption Key ISEisC00L
PAC Time to Live 1 Years
Note: ASA uses this encryption key to import the PAC securely (Lab Exercise 2 Step 6).
d. Click on Generate PAC. In the pop-up window Opening cx-ent.pac of the Firefox browser,
click OK to accept the default Save File option to save the resulting pac file to the default
Downloads folder.
e. Click Submit when finished.
Step 9 Add Security Groups in ISE
a. Go to Policy > Policy Elements > Results. In the left-hand-side panel, select Security
Group Access > Security Groups.
Note: ISE assigns SGT automatically by default. To manually assign SGTs, go to Administration > System > Settings, select
Security Group Access in the left-hand-side panel, and then select All tags are manually defined in the right panel.
b. Add security group LOB_web_users
i. In the right panel, click Add.
ii. Input LOB_web_users into the Name field.
iii. Submit to save this new security group with the assigned tag.
c. Add security group LOB_web_servers
i. In the right panel, click Add.
ii. Input LOB_web_servers into the Name field.
iii. Submit to save this new security group with the assigned tag.
d. The resulting Name-SGT table shall be similar to below:
Name SGT (Dec /Hex)
Unknown 0 / 0000
LOB_web_users 2 / 0002
LOB_web_servers 3 / 0003
You are now done preparing the ISE for the ASA context to download the TrustSec environment data.

! End of Exercise: You have successfully completed this exercise.
Proceed to next section.
Lab Exercise 2: Campus-to-DC Configure ASA to download Security Group table EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 14 of 42
Lab Exercise 2: Campus-to-DC Configure ASA
to download Security Group table

Exercise Description
This exercise will show how to enable an ASA context to download the security group (name-to-
tag) table from ISE.
Exercise Objective
In this exercise, your goal is to work on a routed firewall context in ASA and configure it to
download TrustSec Security Group table from ISE:
Create an AAA server group to include ISE as the TrustSec server
Import EAP-FAST PAC generated from ISE
Verify SG table download

Step 1 Use putty to ssh to asa with the credentials admin / ISEisC00L
Step 2 At the prompt, enter the CLI command enable then give ISEisC00L as the enable password.
asa/cx-admin> enable
Password: ISEisC00L
asa/cx-admin#

Step 3 Switch the context to cx-ent by CLI command changeto context cx-ent
asa# changeto context cx-ent
asa/cx-ent#
Step 4 Review the running-config of the network interfaces and routing with the following CLI
commands in configuration mode:
show run interface
show run route
asa/cx-ent# show run interface
interface GigabitEthernet0/0
nameif campus
security-level 29
ip address 10.1.29.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif web
security-level 100
ip address 10.1.129.1 255.255.255.0
!
interface GigabitEthernet0/5
nameif internet
security-level 0
ip address n0.n1.n2.n3 255.255.255.128

asa/cx-ent# show run route
route internet 0.0.0.0 0.0.0.0 n0.n1.n2.129 1
route campus 10.1.0.0 255.255.128.0 10.1.29.2 1

Lab Exercise 2: Campus-to-DC Configure ASA to download Security Group table EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 15 of 42
Step 5 Create AAA server group ts-ise, add ISE as the host, then designate it as the CTS server group
with the following CLI commands in configuration mode:
aaa-server ts-ise protocol radius
aaa-server ts-ise (campus) host 10.1.100.21
authentication-port 1812
accounting-port 1813

cts server-group ts-ise

asa/cx-ent# configure terminal
asa/cx-ent(config)# aaa-server ts-ise protocol radius
asa/cx-ent(config-aaa-server-group)# aaa-server ts-ise (campus) host 10.1.100.21
asa/cx-ent(config-aaa-server-host)# authentication-port 1812
asa/cx-ent(config-aaa-server-host)# accounting-port 1813
asa/cx-ent(config-aaa-server-host)# cts server-group ts-ise
asa/cx-ent(config)# end
asa/cx-ent#

Step 6 On the admin PC, move the cx-ent.pac file from admins Downloads folder to
C:\inetpub\ftproot\ on the admin PC. Then, import it into cx-ent:
cts import-pac ftp://10.1.100.6/cx-ent.pac password ISEisC00L

asa/cx-ent# cts import-pac ftp://10.1.100.6/cx-ent.pac password ISEisC00L
!PAC Imported Successfully
asa/cx-ent#
Step 7 Verify the PAC, the environment-data, and the SG table retrieved:
show cts pac
show cts environment-data
show cts environment-data sg-table

asa/cx-ent# show cts pac

PAC-Info:
Valid until: Aug 25 2013 23:42:16
AID: 0215c9b539f4f2f56a716ea5d4a04132
I-ID: cx-ent
A-ID-Info: ise demo
PAC-type: Cisco Trustsec
PAC-Opaque:
000200b000030001000400100215c9b539f4f2f56a716ea5d4a0413200060094000301
00f85bbc5db6fea2d861e26c8d708a717200000001503707f300093a8002ae211d90b7
e2f4829d24eddfbf3c36b4d4766614463e7bb80ff5ee00532e0c725e0629da6652a518
89d66396e9ffaedbc13481e328f423d82ba6f00e82944fa191e9c84c5c10da94a85b18
c4cb60b1e6edcea331480164ab77a8dad7931a4d598c63b2672c3bb7b23028cdfd7965
ae2ce0c4a1
Note: The initiator identifier (I-ID) is cx-ent and A-ID-Info is ise demo. The authority identifier (A-ID) is configured in Lab Exercise 1
Step 2. And, I-ID in Lab Exercise 1 Step 5.
asa/cx-ent# show cts environment-data
CTS Environment Data
====================
Status: Active
Last download attempt: Successful
Environment Data Lifetime: 86400 secs
Last update time: 04:00:14 UTC Aug 27 2012
Env-data expires in: 0:23:58:34 (dd:hr:mm:sec)
Env-data refreshes in: 0:23:48:34 (dd:hr:mm:sec)
Note: If the download fails, check ISE live log and the NAD configuration for ASA.
To refresh or retry the download, use this command:
cts refresh environment-data
Lab Exercise 2: Campus-to-DC Configure ASA to download Security Group table EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 16 of 42
asa/cx-ent# show cts environment-data sg-table

Security Group Table:
Valid until: 04:00:14 UTC Aug 28 2012
Showing 4 of 4 entries

SG Name SG Tag Type
------- ------ -------------
ANY 65535 unicast
LOB_web_servers 3 unicast
LOB_web_users 2 unicast
Unknown 0 unicast

Step 8 Check ISE live authentication records for SG table download by the ASA
a. Switch to ISE admin web interface at the Firefox browser on the admin-PC
b. Re-login as admin / ISEisC00L if the session times out
c. Navigate to Operations > Authentications
i. Live log entries will be similar to below:
Time S Identity Endpoint ID Event
t-2 ! #CTSREQUEST# CTS Data Download Succeeded
t-1 ! #CTSREQUEST# CTS Data Download Succeeded

ii. The authentication results are in the tool-tip by hovering over the status column of each
entry:
Time t-1


Authentication Result
User-Name=#CTSREQUEST#
State=ReauthSession:0a0164150000000050748C6D
Class=CACS:0a0164150000000050748C6D:ise-1/139170756/1
Termination-Action=RADIUS-Request
cisco-av-pair=cts:server-list=CTSServerList1-0001
cisco-av-pair=cts:security-group-tag=0000-00
cisco-av-pair=cts:environment-data-expiry=86400
cisco-av-pair=cts:security-group-table=0001-4

Time t-2

Authentication Result
User-Name=#CTSREQUEST#
State=ReauthSession:0a0164150000000150748C6D
Class=CACS:0a0164150000000150748C6D:ise-1/139170756/2
Termination-Action=RADIUS-Request
cisco-av-pair=cts:security-group-table=0001-4
cisco-av-pair=cts:security-group-info=0-0-00-Unknown
cisco-av-pair=cts:security-group-info=ffff-0-00-ANY
cisco-av-pair=cts:security-group-info=2-0-00-LOB_web_users
cisco-av-pair=cts:security-group-info=3-0-00-LOB_web_servers



This ASA context cx-ent has now the name-to-tag mapping of TrustSec security groups. We will use it in an ACL in later exercises.

! End of Exercise: You have successfully completed this exercise.
Proceed to next section.

Lab Exercise 3: Campus-to-DC Configure SXP in Network Devices EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 17 of 42
Lab Exercise 3: Campus-to-DC Configure SXP
in Network Devices
Exercise Description
Currently ASA is not capable of in-line secure group tagging. Instead, it supports SGT Exchange
Protocol (SXP) and may learn secure group tags as an SXP listener. In this exercise you will
establish SXP communications between the ASA context cx-ent and its three peers -- 3k-access,
3k-data, and wlc.
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Configure ASA context cx-ent as the SXP listener to peer with three other network devices
Configure 3k-access as the SXP peer for the ASA context cx-ent
Configure 3k-data as the SXP peer for the ASA context cx-ent
Load wlc with a configuration file and configure it as the SXP peer for the ASA context cx-ent

Step 1 Configure ASA context cx-ent as the SXP listener
a. Back in the SSH session to the security context cx-ent on asa, provision the SXP
connectivity with the following CLI commands in configuration mode:
! set SXP default password
cts sxp default password ISEisC00L
! peer 10.1.29.2 3k-access SVI for VLAN 29
cts sxp connection peer 10.1.29.2 password default mode local listener
! peer 10.1.129.3 3k-data SVI for management
cts sxp connection peer 10.1.129.3 password default mode local listener
! peer 10.1.100.61 WLC management IP
cts sxp connection peer 10.1.100.61 password default mode local listener
! enable SXP
cts sxp enable
asa/cx-ent# configure terminal
asa/cx-ent(config)# cts sxp default password ISEisC00L
asa/cx-ent(config)# cts sxp conn peer 10.1.29.2 password default mode local listener
asa/cx-ent(config)# cts sxp conn peer 10.1.129.3 password default mode local listener
asa/cx-ent(config)# cts sxp conn peer 10.1.100.61 password default mode local listener
asa/cx-ent(config)# cts sxp enable
asa/cx-ent(config)# end
asa/cx-ent#
Step 2 Configure SXP on 3k-access
a. Use putty to ssh to 3k-access as admin / ISEisC00L
b. Provision the SXP connectivity with the following CLI commands in configuration mode:
! set SXP default password
cts sxp default password ISEisC00L
! peer 10.1.29.1 asa/cx-cnt campus IP
cts sxp connection peer 10.1.29.1 password default mode local
! enable SXP
cts sxp enable
3k-access# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
3k-access(config)#cts sxp default password ISEisC00L
3k-access(config)#cts sxp conn peer 10.1.29.1 password default mode local
3k-access(config)#cts sxp enable
Lab Exercise 3: Campus-to-DC Configure SXP in Network Devices EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 18 of 42
3k-access(config)#end
3k-access#

c. Verify the SXP connectivity with the following CLI command in exec mode:
show cts sxp connections brief
3k-access# show cts sxp connections brief
SXP : Enabled
Default Password : Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is running

-----------------------------------------------------------------------------
Peer_IP Source_IP Conn Status Duration
-----------------------------------------------------------------------------
10.1.29.1 10.1.29.2 On 3:10:28:54 (dd:hr:mm:sec)

Total num of SXP Connections = 1
3k-access#
Step 3 Configure SXP on 3k-data
a. Use putty to ssh to 3k-data as admin / ISEisC00L
b. Provision the SXP connectivity with the following CLI commands in configuration mode:
! set SXP default password
cts sxp default password ISEisC00L
! peer 10.1.129.1 asa/cx-ent web IP
cts sxp connection peer 10.1.129.1 password default mode local
! enable SXP
cts sxp enable

3k-data# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
3k-data(config)#cts sxp default password ISEisC00L
3k-data(config)#cts sxp conn peer 10.1.129.1 password default mode local
3k-data(config)#cts sxp enable
3k-data(config)#end
3k-data#
c. Verify the SXP connectivity with the following CLI command in exec mode:
show cts sxp connections brief

3k-data# show cts sxp connections brief
SXP : Enabled
Default Password : Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is running

-----------------------------------------------------------------------------
Peer_IP Source_IP Conn Status Duration
-----------------------------------------------------------------------------
10.1.129.1 10.1.129.3 On 3:10:35:23 (dd:hr:mm:sec)

Total num of SXP Connections = 1
3k-data#

Lab Exercise 3: Campus-to-DC Configure SXP in Network Devices EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 19 of 42
Step 4 Load WLC configuration for the lab
a. Login to WLC web interface https://wlc.demo.local as admin / ISEisC00L
b. Navigate to the top menu COMMANDS. Then, choose Download File from the left panel.
c. In Download file to Controller page, fill in the form as below:


Note: The ## in p##-wlc-sgfw.txt is to be replaced with the assigned 2-digit pod number; e.g. p02-wlc-sgfw.txt for pod 02.
d. Click on the button Download to start the file transfer.
e. Wait for transfer and reset complete.
Note: WLC will reset after downloading configuration from an external file server. During the reset, use ping t wlc to monitor.
Step 5 Configure SXP on WLC
a. Use putty to ssh to wlc as admin / ISEisC00L
b. Provision the SXP connectivity with the following CLI commands:
! set SXP default password
config cts sxp default password ISEisC00L
! peer 10.1.29.1 asa/cx-cnt campus IP
config cts sxp connection peer 10.1.29.1
! enable SXP
config cts sxp enable

(Cisco Controller)
User: admin
Password: ISEisC00L
Cisco Controller) >config cts sxp default password ISEisC00L
Cisco Controller) >config cts sxp conn peer 10.1.29.1
Cisco Controller) >config cts sxp enable
Cisco Controller) >
Note: For configuring SXP via WLC web UI, see WLC Configuration Guide
http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_011
1111.html#ID4849
c. Verify the SXP connectivity with the following CLI commands:
show cts sxp summary
show cts sxp connections

(Cisco Controller) >show cts sxp summary
Total num of SXP Connections..................... 1
SXP State........................................ Enable
SXP Mode......................................... Speaker
SXP Version...................................... 2
Default Password................................. ****
Default Source IP................................ 10.1.100.61
Connection retry open period .................... 120
File Type Configuration
Configuration File Encryption ! (unchecked)
Transfer Mode FTP
Server Details
IP Address 10.1.100.6
File Path /
File Name p##-wlc-sgfw.txt
Server Login Username ftp
Server Login Password ftp
Server Port Number 21
Lab Exercise 3: Campus-to-DC Configure SXP in Network Devices EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 20 of 42

(Cisco Controller) >show cts sxp connections
Total num of SXP Connections..................... 1
SXP State........................................ Enable
Peer IP Source IP Connection Status
--------------- --------------- -----------------
10.1.29.1 10.1.100.61 On


Step 6 Verify SXP peering status on ASA
a. Back in the SSH session to the security context cx-ent on asa, verify the SXP connectivity
with the following CLI command in exe mode:
show cts sxp connections brief

asa/cx-ent# show cts sxp connections brief
SXP : Enabled
Highest version : 2
Default password : Set
Default local IP : Not Set
Reconcile period : 120 secs
Retry open period : 120 secs
Retry open timer : Running
Total number of SXP connections: 3
Total number of SXP connections shown: 3
---------------------------------------------------------------------------
Peer IP Local IP Conn Status Duration (dd:hr:mm:sec)
---------------------------------------------------------------------------
10.1.29.2 10.1.29.1 On 0:00:02:24
10.1.100.61 10.1.29.1 On 0:00:27:29
10.1.129.3 10.1.129.1 On 0:00:00:24
asa/cx-ent#

Note: If the connection status with the wlc not becoming On after a long wait, it may be due to a known defect in WLC 7.2 and 7.3 --
CSCtx92968 WLC SXP peering with ASA after long (random) delay. The workaround is to toggle the SXP status off then on or to
delete then re-create the peer on the wlc.

This ASA context has now peered with three other network devices and shall receive the IP-SGT mappings from them.

! End of Exercise: You have successfully completed this exercise.
Proceed to next section.

Lab Exercise 4: Campus-to-DC Source and Destination IP-SGT EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 21 of 42
Lab Exercise 4: Campus-to-DC Source and
Destination IP-SGT

Exercise Description
This exercise will show the ASA context cx-ent receives IP-SGT maps from the three peers and
uses them in ACL.
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Configure ISE to use security groups in the authorization policy.
Provision static IP-SGT binding on 3k-data.
Configure ASA ACL with security-group.

Step 1 Access the ISE administrative web interface
a. Use Firefox on the admin PC, login https://ise-1.demo.local as admin / ISEisC00L
Step 2 Join to the Active Directory.
a. Go to Administration > Identity Management > External Identity Sources.
b. Pick Active Directory from the left-hand-side panel.
c. Select ise-1 in the right-hand-side
connection tab.
d. If the status is Not Joined to
Domain, click Join with AD
domain admin credential admin /
ISEisC00L and click OK.
Wait for the operation status turns ! Completed before clicking Close to close the pop-up.

Step 3 Add AD Group LOB_web_users
a. Stay in Active Directory then click on the tab Groups
b. Click on Add and Select Group From Directory from the
drop-down menu
c. In the pop-up window Select Directory Groups, use
LOB* as the filter and click on Retrieve Groups!
d. Put a ! check mark to the item
demo.local/HCC/Groups/LOB_web_users and click
OK.
e. Click Save configuration so the external group is made available in the ActiveDirectory
system dictionary.

Lab Exercise 4: Campus-to-DC Source and Destination IP-SGT EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 22 of 42
Step 4 Review the pre-configured authentication policy under Policy > Authentication as summarized
below. The modified elements from defaults are highlighted in Yellow.
Status Name Condition Protocols Identity Source Options
!
MAB IF Wired_MAB
OR
Wireless_MAB
allow
protocols
HostLookup and use Internal Endpoints Reject
Continue
Drop
!
Dot1X IF Wired_802.1X
OR
Wireless_802.1X
allow
protocols
PEAP-MSCHAPv2-o-TLS

!

EAP-TLS IF EAP-TLS and use certAuthSCN Reject
Reject
Drop

!

Default and use demoAD Reject
Reject
Drop
!
Default Rule
(if no match)
allow
protocols
Default Network Access and use DenyAccess

Reject
Reject
Drop

Step 5 Update Authorization Policy to return security group tags.
Note: We start with a set of preconfigured authorization rules for DOT1X and MAB, and then apply security tags on top of them.
a. Navigate to Policy > Authorization
b. For the rule demoAD access
i. Rule Name
Append LOB_web_users
ii. Other Conditions
Insert a new Attribute/Value condition with the expression, such that
Select the attribute demoAD:ExternalGroups,
Select the operator Equals, and
Select the right-hand-side value (drop-down) demo.local/HCC/Groups/LOB_web_users
iii. Add the security group LOB_web_users under the permissions column.
Note: LOB_web_users is one of the security groups created in Lab Exercise 1 Step 6
Status Rule Name Identity Groups Other Conditions Permissions
!

Wireless Black List
Default
Blacklist Wireless_Access Blackhole_Wireless_Access
!

Profiled Cisco IP
Phones
Cisco-IP-Phone - Cisco_ IP_Phones
!

Profiled Non Cisco
IP Phones
Any Non_Cisco_Profiled_Phones Non_Cisco_IP_Phones
!

demoAD access
LOB_web_users
Any


Network Access:AuthenticationIdentityStore
EQUALS demoAD
PermitAll

AND

LOB_web_users
AND
demoAD:ExternalGroups EQUALS
deomo.local/HCC/Groups/LOB_web_users
!

guest access Guest
OR
ActivatedGuest
- PermitInternet
!

Wireless MAB Any Wireless_MAB wlcCWA-noNSP
!

Wired MAB Any Wired_MAB wiredCWA-noNSP
!

Default (no matches) DenyAccess
c. Click Save once all the changes are done.
Lab Exercise 4: Campus-to-DC Source and Destination IP-SGT EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 23 of 42

ISE is now configured to provide a source security group tag when the rule AD Authenticated is matched.

Step 6 Configure static IP-SGT bindings for the servers on 3k-data
a. Use putty to ssh to 3k-data as admin / ISEisC00L
b. Provision the IP-SGT with the following CLI commands in configuration mode:
! map web server ip addresses to SG LOB_web_servers (tag=3)
! Only 10.1.129.12 (web) is used in the test. The others are optional.
cts role-based sgt-map 10.1.129.8 sgt 3
cts role-based sgt-map 10.1.129.9 sgt 3
cts role-based sgt-map 10.1.129.10 sgt 3
cts role-based sgt-map 10.1.129.11 sgt 3
cts role-based sgt-map 10.1.129.12 sgt 3
3k-data# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
3k-data(config)#cts role-based sgt-map 10.1.129.8 sgt 3
3k-data(config)#cts role-based sgt-map 10.1.129.9 sgt 3
3k-data(config)#cts role-based sgt-map 10.1.129.10 sgt 3
3k-data(config)#cts role-based sgt-map 10.1.129.11 sgt 3
3k-data(config)#cts role-based sgt-map 10.1.129.12 sgt 3
3k-data(config)#end
3k-data#
Note: To verify the configured SGT map, issue EXEC mode CLI
show cts role-based sgt-map all
Step 7 Configure ACL on ASA context cx-ent
a. Back to the SSH session to the context cx-ent of ASA, add an ACL and apply it to the
interface campus with the following CLI commands in configuration mode:
! The 1
st
ACE below is all-in-one-line. (optionally) log so it shows in the logging.
access-list campus_in extended permit tcp security-group name LOB_web_users any security-group
name LOB_web_servers any eq www log
! Allow management VLAN
access-list campus_in extended permit ip 10.1.100.0 255.255.255.0 any
! Block other campus VLANs to DC
access-list campus_in extended deny ip 10.1.0.0 255.255.128.0 10.1.128.0 255.255.128.0
! Allow all others (Internet/DMZ)
access-list campus_in extended permit ip any any

! Apply it to campus
access-group campus_in in interface campus
asa/cx-ent# configure terminal
asa/cx-ent(config)# access-list campus_in extended permit tcp security-group name LOB_web_users
any security-group name LOB_web_servers any eq www log
asa/cx-ent(config)# access-list campus_in extended permit ip 10.1.100.0 255.255.255.0 any
asa/cx-ent(config)# access-list campus_in extended deny ip 10.1.0.0 255.255.128.0 10.1.128.0
255.255.128.0
asa/cx-ent(config)# access-list campus_in extended permit ip any any
asa/cx-ent(config)# access-group campus_in in interface campus
asa/cx-ent(config)# end
asa/cx-ent#
b. Verify the SG name-to-tag mapping with the following CLI commands:
show access-list campus_in
asa/cx-ent# show access-list campus_in
access-list campus_in; 4 elements; name hash: 0x8fb64f40
access-list campus_in line 1 extended permit tcp security-group name LOB_web_users(tag=2) any
security-group name LOB_web_servers(tag=3) any eq www log informational interval 300 (hitcnt=0)
...
asa/cx-ent#
Note: LOB_web_users and LOB_web_servers are mapped into tag numbers.
Lab Exercise 4: Campus-to-DC Source and Destination IP-SGT EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 24 of 42
c. Configure buffered logging to see ACE hits in later steps.
logging buffered informational
logging timestamp
logging enable

asa/cx-ent# configure terminal
asa/cx-ent(config)# logging buffered informational
asa/cx-ent(config)# logging timestamp
asa/cx-ent(config)# logging enable
asa/cx-ent(config)# end
asa/cx-ent#
Step 8 Test Wired access on w7pc-guest
a. Launch VMware client to connect the VMware host for the pod.
b. Power on p##-w7pc-guest, if off.
Note: The # in p##-w7pc-guest is the assigned 2-digit pod number; e.g. p22-w7pc-guest for pod 22.
c. Access the console via the VMware client.
d. Login Windows as admin / ISEisC00L
e. On w7pc-guest, double click on the desktop short-cut w7pc-guest Network Connections.
Then, enable the w7pc-guest-wired connection by double-clicking on the icon.
f. Establish the Wired Connection by ssh to 3k-access and no shut on the switch interface
g0/1. Wait for DOT1X auth timed out (~ 2 minutes) and fail over to MAB.
3k-access# show auth session

Interface MAC Address Method Domain Status Session ID
Gi0/1 0010.1888.27cc mab DATA Authz Success 0A01FA02000000060F952EE8

3k-access#

g. On w7pc-guest, launch Mozilla Firefox browser and browse to http://web.demo.local. This
shall redirect to the ISE Guest Portal.
Note: Accept/Confirm any browser certificate warnings or AUP (acceptable user policy) if present.
h. Once the guest portal login displayed, login as
employee1 / ISEisC00L


i. After a successful guest login, reattempt access to http://web.demo.local.
In the pop-up Authentication Required
dialog box, enter
admin / ISEisC00L
as the web credential and hit OK.
Note: Stop once the login page of CTS DB Test is visible. We will login onto the test DB in the second part of the Lab.


Lab Exercise 4: Campus-to-DC Source and Destination IP-SGT EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 25 of 42
j. Review the ISE live log
i. Navigate to Operations > Authentications. LOB_web_users is applied after the guest
authenticated, as shown in the sample entries below:
Time S Identity Endpoint ID AuthZ Profiles Event Session ID
t-4 ! employee1 nn:nn:nn:nn:nn:nn PERMIT_ALL_TRAFFIC,LOB_web_users nnnn!
t-3 ! Dynamic Auth nnnn!
t-2 ! employee1 nn:nn:nn:nn:nn:nn Guest Auth
t-1 ! nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn Wired_CWA Auth nnnn!
ii. Hover over to the status at Time t-4 to see
the authentication detail in the tool-tip. For
example,
User-Name=employee1
...
Termination-Action=RADIUS-Request
cisco-av-pair=cts:security-group-tag:0002-0
cisco-av-pair=profile-name=Windows7-Workstation


k. Check sgt-map on 3k-access by CLI
show cts role-based sgt-map all

3k-access# show cts role-based sgt-map all
Active IP-SGT Bindings Information

IP Address SGT Source
============================================
10.1.50.201 2 LOCAL

IP-SGT Active Bindings Summary
============================================
Total number of LOCAL bindings = 1
Total number of active bindings = 1

3k-access#
Note: 10.1.50.201 is the endpoint IP and may vary depending on the VLAN and DHCP assignments.

l. Check the hit counts of ASA access-list
ASA will show the hit count (hitcnt) increasing for the matched entry.
asa/cx-ent# show access-list campus_in
...
access-list campus_in line 1 extended permit tcp security-group name LOB_web_users(tag=2) any
security-group name LOB_web_servers(tag=3) any eq www log informational interval 300 (hitcnt=6)
0x12947da7
...
asa/cx-ent# show logging | inc campus_in
...
%ASA-6-106100: access-list campus_in permitted tcp campus/10.1.10.101(50184)(2:LOB_web_users) ->
web/10.1.129.12(80)(3:LOB_web_servers) hit-cnt 1 first hit [0x12947da7, 0x0]
...
Note: As the logging buffer is limited, show logging might not give any matches if done a few minutes after the web access on the
endpoint.

m. Verify IP-SGT bindings on ASA that are learnt from all its peers and the accelerated security
patch (ASP)
show cts sgt-map (Control Plane command)
show asp table cts sgt-map (Data Path command)

Lab Exercise 4: Campus-to-DC Source and Destination IP-SGT EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 26 of 42
asa/cx-ent# show cts sgt-map

Active IP-SGT Bindings Information

IP Address SGT Source
================================================================
10.1.50.201 2 SXP
10.1.129.8 3 SXP
...

IP-SGT Active Bindings Summary
============================================
Total number of SXP bindings = 6
Total number of active bindings = 6
Total number of shown bindings = 6

asa/cx-ent# show asp table cts sgt-map


IP Address SGT
==============================================
10.1.129.8 3:LOB_web_servers
...
10.1.50.201 2:LOB_web_users

Total number of entries shown = 6

n. Verify IP-SGT bindings on ASA that are propagated via SXP
show cts sxp sgt-map detail
asa/cx-ent# show cts sxp sgt-map detail
Total number of IP-SGT mappings : 6
Total number of IP-SGT mappings shown: 6

SGT : 3:LOB_web_servers
IPv4 : 10.1.129.8
Peer IP : 10.1.129.3
Ins Num : 1
Status : Active

...

SGT : 2:LOB_web_users
IPv4 : 10.1.50.201
Peer IP : 10.1.29.2
Ins Num : 1
Status : Active
asa/cx-ent#
o. Leave w7pc-guest powered on. We will continue using it in later exercises.

Step 9 (Optional) Test Wireless access on iPad
a. Enable WLAN n-p##-TS-OPEN on wlc
i. Use putty and open ssh session to wlc
ii. Issue the following CLI command:
config wlan enable 10

b. Click on the short-cut vnc-to-ipad on the taskbar to start a VNC session to the iPad.
c. Press any key to continue, once prompt so.
Tips on controlling the iPad UI via VNC client:
Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track pad) Touch with two fingers on
the Track Pad If Secondary Click is configured.
Lab Exercise 4: Campus-to-DC Source and Destination IP-SGT EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 27 of 42
Mouse: Mouse pointer mimics touching the iPad screen with one finger.
Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll
Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your local keyboard for input.
Note: The tab key is not available on the iPads virtual keyboard so you will have to move the pointer to the text field you want
to input text, and click on it.
d. On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if
present.
Note: If no profiles, you might not see the profiles menu option.
e. Next, go to Settings > Safari and hit Clear History as well as Clear Cookies and Data.
f. Go to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi.
Note: Forget any networks the iPad automatically connects to them.
g. Select and connect to the network n-p##-TS-OPEN
Note: The ## in n-p##-TS-OPEN is to be replaced with the assigned 2-digit pod number; e.g. n-p22-TS-OPEN
h. Launch Mobile Safari app and browse to http://web.demo.local. This shall redirect to the ISE
Guest Portal.
Note: Accept/Confirm any browser certificate warnings or AUP (acceptable user policy) if present.
i. Repeat previous step (8) h ~ n of this exercise to verify the Wireless access for the iPad.


! End of Exercise: You have successfully completed this exercise.
Proceed to next section.

Lab Exercise 5: Campus-to-DC Use ASDM to Interact with ASA TrustSec Features EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 28 of 42
Lab Exercise 5: Campus-to-DC Use ASDM to
Interact with ASA TrustSec Features
Exercise Description
This lab covers the essential ASDM operations for TrustSec elements on an ASA.
Exercise Objective
In this exercise, your goal is to familiarize with basic ASDM operations for TrustSec. This includes
completion of the following tasks:
Configure for PAC and SXP
Monitor for PAC, SXP, and SGT maps
Create ACL with security elements
Step 1 Connect ASDM to ASA
a. On the admin-PC, double-click ASDM-IDM Launcher on the desktop
b. Provide inputs as below:
Device IP Address / Name: asa.demo.local
Username: admin
Password: ISEisC00L
" Run in Demo Mode (unchecked)
c. Click OK to connect.
Step 2 Switch to context cx-ent: In the device list on the left-hand-side panel, connect to cx-
ent by double-clicking on the named context.
Step 3 Configure TrustSec properties using ASDM
a. Navigate to Configuration > Firewall > Identity by TrustSec


b. Verify the SXP peers, default source, default password, timers, Server Group.
Lab Exercise 5: Campus-to-DC Use ASDM to Interact with ASA TrustSec Features EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 29 of 42
c. (Optional, as already done via CLI in Exercise 2 Step 6) Click on Import PAC to import the
PAC from the local machine
d. (Optional) Check/un-check the checkbox next to Enable SGT Exchange Protocol (SXP) to
enable/disable SXP
e. Click Apply to effect the changes

Step 4 Monitoring TrustSec: Navigate to Monitoring > Properties > Identity by TrustSec
Click each item in turn to check
a. PAC - verify PAC installation
b. Environment Data - verify the
download of security group table
c. SXP Connections - check SXP
connections with peers
d. IP Mappings - verify security group
IP mapping table



Step 5 Use ASDM to reconfigure Security
Group based policies
a. Go to Configuration > Firewall > Objects > Security Group Object Groups
b. Click on Add on the right-hand panel
c. In the pop-up window Add Security Group Object Group, fill in

Group Name: demo-SG-Obj-
Group
Click to highlight
LOB_web_servers in Existing
Security Groups
Click Add >> to add to
Members in Group
Click OK to close the pop-up.



d. Go to Configuration > Firewall > Access Rules
e. Click on the rule under interface campus and
hit Edit to work on the first ACE
f. In the pop-up Edit Access Rule, click on the
browse icon next to Security Group text box
in the Destination Criteria.
g. In the pop-up Browse Security Group
window
Lab Exercise 5: Campus-to-DC Use ASDM to Interact with ASA TrustSec Features EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 30 of 42
<< Remove security group name LOB_web_servers
Add >> Existing Security Group Object Groups demo-SG-Obj-Group
Click OK to close the pop-up Browse Security Group

h. Click OK to close the pop-up Edit Access Rule.
i. Click Apply to send the changes to ASA.
Step 6 Repeat Exercise 4 Step 7 to send traffic and verify the policies applied correctly.

! End of Exercise: You have successfully completed this exercise.
Proceed to next section.

Part 2: Intra-DC SGFW Enforcement with ASA EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 31 of 42
Part 2: Intra-DC SGFW Enforcement with ASA

Logical Topology



arL 2 covers a use case of uslng ASA Lo segmenL server-Lo-server communlcaLlon wlLhln a daLa cenLer
neLwork. 1he goal ls Lo allow a speclflc group of servers (LC8_web_servers) Lo access Lhe daLa on
anoLher (LC8_db_servers). ASA enforcemenL may be ln elLher rouLed or LransparenL/brldge mode, or ln
elLher slngle or mulLlple conLexLs. An ASA conLexL ln LransparenL mode ls used ln Lhls parL of exerclses.

Lab Exercise 6: Intra-DC Configure Network Devices and Security Groups in ISE EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 32 of 42
Lab Exercise 6: Intra-DC Configure Network
Devices and Security Groups in ISE

Exercise Description
This lab covers the ISE configurations to prepare ASA context cx-lob for RADIUS authentication
and retrieving TrustSec environment data. It also provisions the security groups used for Intra-
DC accesses.
Exercise Objective
In this exercise, your goal is to configure ASA as a network device in ISE so that it may receive
TrustSec security groups. This includes completion of the following tasks:
Create a network device for ASA context cx-lob
Create TrustSec security groups

Step 1 Access the ISE administrative web interface.
a. Login https://ise-1.demo.local as admin / ISEisC00L
Note: Accept/Confirm any browser certificate warnings if present.
Step 2 Add an ASA context cx-lob as a Network Access Device
a. Navigate to Administration > Network Resources > Network Devices
b. Click Add with the values shown in the following table:
Attribute Value
Name cx-lob
(see Note 1)

Description -
IP Address 10.1.129.2 / 32
Model Name -
Software Version -
Device Type ASA
Location GOLD-Lab
! Advanced TrustSec Settings
Device Authentication Settings
Use Device ID for SGA !
Device Id cx- l ob
Password Anything
(see Note 2)

SGA Notifications and Updates
Download environment data
every
1 Days
Download peer authorization
policy every
1 Days
Reauthentication every 1 Days
Download SGACL lists every 1 Days
Other SGA devices to trust the
device
!
Notify this device about SGA "
Lab Exercise 6: Intra-DC Configure Network Devices and Security Groups in ISE EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 33 of 42
Attribute Value
configuration changes
Device Configuration Deployment
(None configured)
Out Of Band (OOB) SGA PAC
Issue Date
Expiration Date
Issue By
Generate PAC
Note 1: The Name (Device ID) must be the same as that of the context name in ASA. It is included in the PAC for ASA to
authenticate and retrieve the SG table from ISE.
Note 2: The device password is not used because ASA supports only OOB PAC provisioning but needs to be a valid and non-
empty string in order to save the NAD object.
c. In the section Out Of Band (OOB) SGA PAC, click Generate PAC. In the pop-up dialog
box, input ISEisC00L as the Encryption Key.
Identity cx- l ob
Encryption Key ISEisC00L
PAC Time to Live 1 Years
Note: ASA uses this encryption key to import the PAC securely (Lab Exercise 2 Step 6).
d. Click on Generate PAC and save the resulting pac file to the default Downloads folder.
e. Click Submit when finished.
Note: If Submit does not work, log off and back into the ISE admin web interface and repeat Step 2 again.
Step 3 Create Security Groups
a. Go to Policy > Policy Elements > Results. In the left-hand-side panel, select Security
Group Access > Security Groups.
Note: ISE assigns SGT automatically by default. To manually assign SGTs, go to Administration > System > Settings, select
Security Group Access in the left-hand-side panel, and then select All tags are manually defined in the right panel.
b. Add security group LOB_db_servers
i. In the right panel, click Add.
ii. Input LOB_db_servers into the Name field.
iii. Submit to save this new security group with the assigned tag.
c. The resulting Name-SGT table shall be similar to below:
Name SGT (Dec /Hex)
Unknown 0 / 0000
LOB_web_users 2 / 0002
LOB_web_servers 3 / 0003
LOB_db_servers 4 / 0004

You are now done preparing the ISE for the ASA context cx-lob to download the TrustSec environment data.

! End of Exercise: You have successfully completed this exercise.
Proceed to next section.
Lab Exercise 7: Intra-DC Configure ASA to download Security Group table EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 34 of 42
Lab Exercise 7: Intra-DC Configure ASA to
download Security Group table

Exercise Description
This exercise will show how to enable an ASA context to download the security group (name-to-
tag) table from ISE.
Exercise Objective
In this exercise, your goal is to work a transparent context in ASA and configure it to download
TrustSec Security Group table from ISE:
Create an AAA server group and designate it as the TrustSec server
Import PAC and verify SG table download

Step 1 If disconnected, restart the putty ssh session to asa with the credentials admin / ISEisC00L
Step 2 At the prompt, enter the CLI command enable then give ISEisC00L as the enable password.
asa/cx-admin> enable
Password: ISEisC00L
asa/cx-admin#

Step 3 Change to the context cx-lob by CLI command changeto context cx-lob
asa# changeto context cx-lob
asa/cx-lob#
Step 9 Review the running-config of the network interfaces and routing with the following CLI
commands in configuration mode:
show run interface
show run route
asa/cx-lob# show run interface
!
interface BVI1
ip address 10.1.129.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif web
bridge-group 1
security-level 8
!
interface GigabitEthernet0/3
nameif db
bridge-group 1
security-level 9

asa/cx-lob# show run route
route web 0.0.0.0 0.0.0.0 10.1.129.1 1
Step 4 Add AAA server group and host and designate it as the cts server group with the following CLI
commands in configuration mode:
aaa-server ts-ise protocol radius
aaa-server ts-ise (web) host 10.1.100.21
authentication-port 1812
accounting-port 1813
cts server-group ts-ise
Lab Exercise 7: Intra-DC Configure ASA to download Security Group table EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 35 of 42
asa/cx-lob# configure terminal
asa/cx-lob(config)# aaa-server ts-ise protocol radius
asa/cx-lob(config-aaa-server-group)# aaa-server ts-ise (web) host 10.1.100.21
asa/cx-lob(config-aaa-server-host)# authentication-port 1812
asa/cx-lob(config-aaa-server-host)# accounting-port 1813
asa/cx-lob(config-aaa-server-host)# cts server-group ts-ise
asa/cx-lob(config)# end
asa/cx-lob#
Step 5 On admin-PC, move the cx-lob.pac file from admins Downloads folder to C:\inetpub\ftproot\.
Then, proceed to import it at ASA:
cts import-pac ftp://10.1.100.6/cx-lob.pac password ISEisC00L

asa/cx-lob# cts import-pac ftp://10.1.100.6/cx-lob.pac password ISEisC00L
!PAC Imported Successfully
Step 6 Check PAC data and verify environment-data and SG table by:
show cts pac
show cts environment-data
show cts environment-data sg-table

asa/cx-lob# show cts pac

PAC-Info:
Valid until: Aug 25 2013 23:42:16
AID: 0215c9b539f4f2f56a716ea5d4a04132
I-ID: cx-lob
A-ID-Info: ise demo
PAC-type: Cisco Trustsec
PAC-Opaque:
...
Note: The initiator identifier (I-ID) is cx-lob and A-ID-Info is ise demo. The authority identifier (A-ID) is configured in Lab Exercise 1
Step 2. And, I-ID in Lab Exercise 6 Step 2.
asa/cx-lob# show cts environment-data
CTS Environment Data
====================
Status: Active
Last download attempt: Successful
Environment Data Lifetime: 86400 secs
Last update time: 04:00:14 UTC Aug 27 2012
Env-data expires in: 0:23:58:34 (dd:hr:mm:sec)
Env-data refreshes in: 0:23:48:34 (dd:hr:mm:sec)
Note: If the download fails, check ISE live log and the NAD configuration for ASA.
asa/cx-lob# show cts environment-data sg-table

Security Group Table:
Valid until: 04:00:14 UTC Aug 28 2012
Showing 6 of 6 entries

SG Name SG Tag Type
------- ------ -------------
ANY 65535 unicast
LOB_db_servers 4 unicast
LOB_web_servers 3 unicast
LOB_web_users 2 unicast
Unknown 0 unicast
This ASA context has now the TrustSec security group name-to-tag mapping. We will use it in ACL in later exercises.

! End of Exercise: You have successfully completed this exercise.
Proceed to next section.
Lab Exercise 8: Intra-DC Configure SXP in Network Devices EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 36 of 42
Lab Exercise 8: Intra-DC Configure SXP in
Network Devices
Exercise Description
In this exercise you will establish the SXP communication between the ASA context cx-lob and
3k-data.
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Configure ASA context cx-lob as the SXP listener to peer with the switch 3k-data
Configure the switch 3k-data as the SXP peer for the ASA context cx-ent

Step 1 Configure cx-lob as the SXP listener
a. Back in the SSH session to the context cx-lob of ASA, provision the SXP connectivity with
the following CLI commands in configuration mode:
! set SXP default password
cts sxp default password ISEisC00L
! peer 10.1.129.3 3k-data SVI for VLAN 129
cts sxp connection peer 10.1.129.3 password default mode local listener
cts sxp enable

asa/cx-lob# configure terminal
asa/cx-lob(config)# cts sxp default password ISEisC00L
asa/cx-lob(config)# cts sxp conn peer 10.1.129.3 password default mode local listener
asa/cx-lob(config)# cts sxp enable
asa/cx-lob(config)# end
asa/cx-lob#

Step 2 Configure SXP on 3k-data
a. Use putty to ssh to 3k-data as admin / ISEisC00L
b. Provision the SXP connectivity with the following CLI commands in configuration mode:
! peer 10.1.129.2 asa/cx-lob web IP
cts sxp connection peer 10.1.129.2 password default mode local
Note: SXP default password is set and the SXP service enabled previously in Part 1 Exercise 3 Step 3.

3k-data# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
3k-data(config)#cts sxp conn peer 10.1.129.2 password default mode local
3k-data(config)#end
3k-data#
c. Verify the SXP connectivity with the following CLI command in exec mode:
show cts sxp connections brief

3k-data# show cts sxp connections brief
SXP : Enabled
Default Password : Set
Default Source IP: Not Set
Connection retry open period: 120 secs
EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 37 of 42
Reconcile period: 120 secs
Retry open timer is running

-----------------------------------------------------------------------------
Peer_IP Source_IP Conn Status Duration
-----------------------------------------------------------------------------
10.1.129.1 10.1.129.3 On 3:10:35:23 (dd:hr:mm:sec)
10.1.129.2 10.1.129.3 On 0:00:38:33 (dd:hr:mm:sec)

Total num of SXP Connections = 2
3k-data#

This ASA context cx-lob has now peered with 3k-data and shall get the IP-SGT mapping from it.

! End of Exercise: You have successfully completed this exercise.
Proceed to next section.

Lab Exercise 8: Intra-DC Source and Destination IP-SGT EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 38 of 42
Lab Exercise 8: Intra-DC Source and
Destination IP-SGT

Exercise Description
This exercise will show the switch 3k-data forwards its IP-SGT mappings to the ASA context cx-
lob and the ASA uses the security groups to enforce server-to-server communications.
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Provision static IP-SGT binding on 3k-data.
Configure ASA ACL with security-group.

Step 1 Configure static IP-SGT binding on 3k-data
a. Use putty to ssh to 3k-data as admin / ISEisC00L
b. Provision the static IP-SGT binding with the following CLI command in configuration mode:
! map a db server ip address to SGT LOB_db_servers (tag=4)
cts role-based sgt-map 10.1.129.20 sgt 4
3k-data# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
3k-data(config)#cts role-based sgt-map 10.1.129.20 sgt 4
3k-data(config)#end
3k-data#
c. Verify the static IP-SGT binding with the following CLI command in exec mode
show cts role-based sgt-map all

3k-data# show cts role-based sgt-map all
Active IP-SGT Bindings Information

IP Address SGT Source
============================================
10.1.129.8 3 CLI
...
10.1.129.20 4 CLI

IP-SGT Active Bindings Summary
============================================
Total number of CLI bindings = 6
Total number of active bindings = 6


Step 2 Configure an ACL on ASA context cx-lob
a. Back in the SSH session to the context cx-lob of ASA, add an ACL and apply it to the
interface web with the following CLI commands in configuration mode:
! add an ACL
! This ACL has only one ACE and all in one-line.
access-list web_in extended permit tcp security-group name LOB_web_servers any security-group
name LOB_db_servers any eq 3306 log
! Apply it to web
access-group web_in in interface web

Lab Exercise 8: Intra-DC Source and Destination IP-SGT EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 39 of 42
asa/cx-lob# configure terminal
asa/cx-lob(config)# access-list web_in extended permit tcp security-group name LOB_web_servers
any security-group name LOB_db_servers any eq 3306 log
asa/cx-lob(config)# access-group web_in in interface web
asa/cx-lob(config)# end
asa/cx-lob#
b. Verify the SG name-to-tag mapping with the following CLI command:
show access-list web_in

asa/cx-lob# show access-list web_in
access-list web_in; 2 elements; name hash: 0x732a90f6
access-list web_in line 1 extended permit tcp security-group name LOB_web_servers(tag=3) any
security-group name LOB_db_servers(tag=4) any eq 3306 log informational interval 300 (hitcnt=0)
0x8193d619
asa/cx-lob#
Note: LOB_web_servers and LOB_db_servers are both associated with tag numbers in parentheses.
c. Configure buffered logging to see ACE hits in later steps.
logging buffered informational
logging timestamp
logging enable

asa/cx-lob# configure terminal
asa/cx-lob(config)# logging buffered informational
asa/cx-lob(config)# logging timestamp
asa/cx-lob(config)# logging enable
asa/cx-lob(config)# end
asa/cx-lob#

Step 3 Test on w7pc-guest
a. Switch back to the console of w7pc-guest via the VMware client.
b. If needed, login again at Windows as admin / ISEisC00L
c. If the network connection disconnected, re-authenticate using either Wired or Wireless as in
Exercise 4 Step 8 or 9.
d. Launch Mozilla Firefox browser, go to http://web.demo.local, and, if needed, re-authenticate
to the web site as admin / ISEisC00L
e. At the CTS DB Test login page, enter the following info before hitting Go
Log in
Username: admin
Password: ISEisC00L
Server Choice TS TEST DB
f. Check the hit counts of ASA access-list
ASA will show the hit count (hitcnt) increasing for the matched entry.
asa/cx-lob# show access-list web_in
...
access-list web_in line 1 extended permit tcp security-group name LOB_web_servers(tag=3) any
security-group name LOB_db_servers(tag=4) any eq 3306 log informational interval 300 (hitcnt=3)
0x8193d619
asa/cx-lob# show logging | inc web_in
...
%ASA-6-106100: access-list web_in permitted tcp app/10.1.129.12(43838)(4:LOB_web_servers) ->
db/10.1.129.20(3306)(5:LOB_db_servers) hit-cnt 1 first hit [0x8193d619, 0x0]
...
Lab Exercise 8: Intra-DC Source and Destination IP-SGT EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 40 of 42
g. Verify IP-SGT bindings on ASA that are learnt from all its peers and the accelerated security
patch (ASP)
show cts sgt-map (Control Plane command)
show asp table cts sgt-map (Data Path command)

asa/cx-lob# show cts sgt-map

Active IP-SGT Bindings Information

IP Address SGT Source
================================================================
10.1.129.8 3 SXP
...
10.1.129.20 4 SXP

IP-SGT Active Bindings Summary
============================================
Total number of SXP bindings = 6
Total number of active bindings = 6
Total number of shown bindings = 6

asa/cx-lob# show asp table cts sgt-map

IP Address SGT
==============================================
10.1.129.8 3:LOB_web_servers
...
10.1.129.20 4:LOB_db_servers

Total number of entries shown = 6

asa/cx-lob#

h. Verify IP-SGT bindings on ASA that are propagated via SXP
show cts sxp sgt-map detail

asa/cx-lob# show cts sxp sgt-map detail
Total number of IP-SGT mappings : 6
Total number of IP-SGT mappings shown: 6

SGT : 3
IPv4 : 10.1.129.8
Peer IP : 10.1.129.1
Ins Num : 1
Status : Active

...

SGT : 4
IPv4 : 10.1.129.20
Peer IP : 10.1.129.1
Ins Num : 1
Status : Active
asa/cx-lob#
i. Power off w7pc-guest when done.

! End of Exercise: You have successfully completed this exercise.
Proceed to next section.

! End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.
Lab Exercise 8: Intra-DC Source and Destination IP-SGT EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 41 of 42
Appendix A: Creating a transparent firewall context
In this lab, all the ASA contexts are created in advance. For your reference, here are the steps to create
the transparent context cx-lob:
Step 1 Change to the system space by CLI command changeto system
asa/cx-admin# changeto system
asa#
Step 2 Create a new context cx-lob with the following CLI commands in configuration mode:
context cx-lob
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url disk0:/cx-lob.cfg
exit

interface GigabitEthernet0/2
no shut
interface GigabitEthernet0/3
no shut
asa# configure terminal
asa(config)# context cx-lob
Creating context 'cx-lob... Done. (5)
asa(config-ctx)# allocate-interface GigabitEthernet0/2
asa(config-ctx)# allocate-interface GigabitEthernet0/3
asa(config-ctx)# config-url disk0:/cx-lob.cfg

WARNING: Could not fetch the URL disk0:/cx-lob.cfg
INFO: Creating context with default config
asa(config)# interface gigabitEthernet 0/2
asa(config-if)# no shut
asa(config-if)# interface gigabitEthernet 0/3
asa(config-if)# no shut
asa(config)# end
asa#
Step 3 Change to the new context cx-lob by CLI command changeto context cx-lob
asa# changeto context cx-lob
asa/cx-lob#
Step 4 Update the firewall mode and the interfaces with the following CLI commands in configuration
mode:
! Change to transparent mode
firewall transparent
!
interface BVI1
ip address 10.1.129.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif web
bridge-group 1
security-level 9
!
interface GigabitEthernet0/3
nameif db
bridge-group 1
security-level 10
!
! default gateway to ASA cx-ents web interface
route web 0.0.0.0 0.0.0.0 10.1.129.1 1
asa/cx-lob# configure terminal
asa/cx-lob(config)# firewall transparent
asa/cx-lob(config)# interface BVI1
asa/cx-lob(config-if)# ip address 10.1.129.2 255.255.255.0
asa/cx-lob(config-if)# exit
asa/cx-lob(config)# interface GigabitEthernet0/2
asa/cx-lob(config-if)# nameif web
Lab Exercise 8: Intra-DC Source and Destination IP-SGT EDCS-1224105
TS_SGFW-ASA_Lab_Guide.docx 9/13/13 10:10 PM US/Pacific Page 42 of 42
asa/cx-lob(config-if)# brige-group 1
asa/cx-lob(config-if)# security-level 9
asa/cx-lob(config-if)# !
asa/cx-lob(config)# interface GigabitEthernet0/3
asa/cx-lob(config-if)# nameif db
asa/cx-lob(config-if)# brige-group 1
asa/cx-lob(config-if)# security-level 10
asa/cx-lob(config-if)# !
asa/cx-lob(config-if)# route web 0.0.0.0 0.0.0.0 10.1.129.1 1
asa/cx-lob(config)# end
asa/cx-lob#