Cisco ASA Identity Firewall

Testing at the moment identity firewalling with a Cisco ASA for a new office network infrastructure.

From the configuration everything is straight forward and easy to set-up:

1. Configure AAA LDAP Server

aaa-server protocol ldap
aaa-server (INSIDE) host
    ldap-base-dn DC=addomain,DC=net
    ldap-group-base-dn DC=addomin,DC=net
    ldap-scope subtree
    server-type microsoft
    server-port 389 
    ldap-login-dn *username*
    ldap-login-password *password*

If you use ldap over SSL you need to enable it and change the server port!

2. Configure Windows Cisco AD Agent

Install the Cisco AD Agent on one of your Windows Servers, not the Domain Controller if you also want to use NPS!

adacfg client create –name ASA5515 –ip –secret secretpresharedkey 
adacfg dc create -name DC01 -host -domain -user Administrator -password *password*

2.1 Check Windows AD Agent Configuration

C:\IBF\CLI\adactrl.exe show running
C:\IBF\CLI\adacfg.exe client list
C:\IBF\CLI\adacfg.exe dc list

3 Configure AG Agent on the ASA

aaa-server adagent protocol radius

aaa-server adagent (INSIDE) host
    key secretpresharedkey
    user-identity ad-agent aaa-server adagent

4. Configure Identity option on the ASA

user-identity domain ADDOMAIN aaa-server
user-identity default-domain ADDOMAIN

5. Example Object and Access List Configuration

object-group user USERNAME
    user ADDOMAIN\user1

object-group user GROUPNAME
    user-group ADDOMAIN\IT-ADMINs

access-list INSIDE-IN extended permit ip user ADDOMAIN\user1 any host
access-list INSIDE-IN extended permit ip user-group ADDOMAIN\\ADMINs any host
access-list INSIDE-IN extended permit ip object-group-user GROUPNAME any host

More information about how to configure identity firewalling you find here: Configuring the Identity Firewall

Cisco ASA Virtual Context Mode

A single Cisco ASA or a cluster of two ASAs can be partition into multiple virtual firewalls known as security contexts. Each context has it’s own independent firewall, with its own security policy, interfaces, and administrators. These contexts are similar to having multiple standalone ASA devices. In combination with failover groups you can run a ASA cluster in active/active state and utilize both devices. Don’t forget when a failover happens that both failover groups need to run on a single device, keep enough ressources free on both devices and do not oversubscribe too much.

You have to look because there are limitation what features are supported in context mode. In version 8 is unsupport to use dynamic routing protocols, VPN, Threat Detection and Quality of Service. In version 9 are some changes and now dynamic routing protocols (not RIP or OSPFv3) and site-to-site IPsec VPNs are supported.

Here the configuration example how to set-up an Cisco ASA 5580 with 10 Gigabit Ethernet interfaces.

Enabling the context mode

mode noconfirm multiple

Physical interface configuration

interface GigabitEthernet4/2 
  description Failover 
  no shutdown 

interface GigabitEthernet4/3 
  description Stateful 
  no shutdown 

interface TenGigabitEthernet5/0 
  description TeTrunk-1st 
  no shutdown 

interface TenGigabitEthernet5/1 
  description TeTrunk-2nd 
  no shutdown 

Redundant interface configuration

interface Redundant 1
  description Redundant-Trunk
  member-interface TenGigabitEthernet5/0
  member-interface TenGigabitEthernet5/1

interface Redundant 1.800
  vlan 800
  description Link-Outside1

interface Redundant 1.801
  vlan 801
  description Link-Outside2

interface Redundant 1.100
  vlan 100
  description Link-Inside1

interface Redundant 1.101
  vlan 101
  description Link-Inside2

interface Redundant 1.500
  vlan 500
  description Link-Management

Here you need to start configuring the ASA failover settings. Like you see in the failover group configuration that I put group 1 to the primary device and group 2 to the seconday device for active/active set-up, when I create the virtual security context I join them to the different failover groups.

failover group 1
  polltime interface 1 holdtime 5

failover group 2
  polltime interface 1 holdtime 5


failover lan unit primary
failover lan interface failover GigabitEthernet4/2
failover interface ip failover standby

failover link stateful GigabitEthernet4/3
failover interface ip stateful standby

failover polltime unit 2 holdtime 6
failover polltime interface 1 holdtime 5
failover timeout 0:00:00

failover active

Failover configuration on the seconday device

interface GigabitEthernet4/2
  description Failover
  no shutdown

failover lan unit secondary
failover lan interface failover GigabitEthernet4/2
failover interface ip failover standby


copy running-config startup-config

Now you start to set-up the virtual contexts and add the interfaces I configured before

admin-context admin-asa-01

context admin-asa-01
  allocate-interface Redundant1.500 Link-Management
  config-url disk0:/admin-asa-01.conf
  join-failover-group 1

context virtual-asa-02
  allocate-interface Redundant1.800 Link-Outside1
  allocate-interface Redundant1.100 Link-Inside1
  config-url disk0:/virtual-asa-02.conf
  join-failover-group 1

context virtual-asa-03
  allocate-interface Redundant1.801 Link-Outside2
  allocate-interface Redundant1.101 Link-Inside2
  config-url disk0:/virtual-asa-03.conf
  join-failover-group 2

In the end save the configuration

write memory all

Afterwards you can change to the configured contexts with the command

changeto context virtual-asa-02

and start configuring your virtual firewalls.