Cisco ASA Series Configuration Manual page 103

Chapter 6 ASA and Cisco TrustSec
For example, an access rule permits or denies traffic on an interface using network information. With
Cisco TrustSec, you can control access based on security group. For example, you could create an access
rule for sample_securitygroup1 10.0.0.0 255.0.0.0, meaning the security group could have any IP
address on subnet 10.0.0.0/8.
You can configure security policies based on combinations of security group names (servers, users,
unmanaged devices, and so on), user-based attributes, and traditional IP-address-based objects (IP
address, Active Directory object, and FQDN). Security group membership can extend beyond roles to
include device and location attributes and is independent of user group membership.
Examples
The following example shows how to create an ACL that uses a locally defined security object group:
object-group security objgrp-it-admin
security-group name it-admin-sg-name
security-group tag 1
object-group security objgrp-hr-admin
security-group name hr-admin-sg-name
group-object it-admin
object-group security objgrp-hr-servers
object-group security objgrp-hr-network
access-list hr-acl permit ip object-group-security objgrp-hr-admin any
object-group-security objgrp-hr-servers
The ACL configured in the previous example can be activated by configuring an access group or the
Modular Policy Framework.
Additional examples:
!match src hr-admin-sg-name from any network to dst host 172.23.59.53
access-list idw-acl permit ip security-group name hr-admin-sg-name any host 172.23.59.53
!match src hr-admin-sg-name from host 10.1.1.1 to dst any
access-list idfw-acl permit ip security-group name hr-admin-sg-name host 10.1.1.1 any
!match src tag 22 from any network to dst hr-servers-sg-name any network
access-list idfw-acl permit ip security-group tag 22 any security-group name hr-servers-sg-name any
!match src user mary from any host to dst hr-servers-sg-name any network
access-list idfw-acl permit ip user CSCO\mary any security-group name hr-servers-sg-name any
!match src objgrp-hr-admin from any network to dst objgrp-hr-servers any network
access-list idfw-acl permit ip object-group-security objgrp-hr-admin any object-group-security
objgrp-hr-servers any
!match src user Jack from objgrp-hr-network and ip subnet 10.1.1.0/24 to dst objgrp-hr-servers any network
access-list idfw-acl permit ip user CSCO\Jack object-group-security objgrp-hr-network 10.1.1.0
255.255.255.0 object-group-security objgrp-hr-servers any
!match src user Tom from security-group mktg any google.com
object network net-google
fqdn google.com
access-list sgacl permit ip sec name mktg any object net-google
! If user Tom or object_group security objgrp-hr-admin needs to be matched, multiple ACEs can be defined as
follows:
access-list idfw-acl2 permit ip user CSCO\Tom 10.1.1.0 255.255.255.0 object-group-security
objgrp-hr-servers any
access-list idfw-acl2 permit ip object-group-security objgrp-hr-admin 10.1.1.0 255.255.255.0
object-group-security objgrp-hr-servers any
security-group name hr-servers-sg-name
security-group tag 2
// single sg_name
// locally defined object-group as nested object
Cisco ASA Series Firewall CLI Configuration Guide
Guidelines for Cisco TrustSec
6-21