Configure Security Group Object Groups - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Configure Objects
Configure Security Group Object Groups
You can create security group object groups for use in features that support Cisco TrustSec by including
the group in an extended ACL, which in turn can be used in an access rule, for example.
When integrated with Cisco TrustSec, the ASA downloads security group information from the ISE. The
ISE acts as an identity repository, by providing Cisco TrustSec tag-to-user identity mapping and Cisco
TrustSec tag-to-server resource mapping. You provision and manage security group ACLs centrally on
the ISE.
However, the ASA might have localized network resources that are not defined globally that require local
security groups with localized security policies. Local security groups can contain nested security
groups that are downloaded from the ISE. The ASA consolidates local and central security groups.
To create local security groups on the ASA, you create a local security object group. A local security
object group can contain one or more nested security object groups or Security IDs or security group
names. You can also create a new Security ID or security group name that does not exist on the ASA.
You can use the security object groups you create on the ASA to control access to network resources.
You can use the security object group as part of an access group or service policy.
For information on how to integrate the ASA with Trustsec, see
If you create a group with tags or names that are not known to the ASA, any rules that use the group will
Tip
be inactive until the tags or names are resolved with ISE.
Procedure
Create or edit a security group object group using the object name.
Step 1
hostname(config)# object-group security group_name
Example
hostname(config)# object-group security mktg-sg
Add objects to the service group object group using one or more of the following commands. Use the no
Step 2
form of the command to remove an object.
•
•
Example
hostname(config-security-object-group)# security-group tag 1
hostname(config-security-object-group)# security-group name mgkt
hostname(config-security-object-group)# group-object local-sg
(Optional) Add a description.
Step 3
Cisco ASA Series Firewall CLI Configuration Guide
2-8
security-group {tag sgt_number | name sg_name}—A security group tag (SGT) or name. A tag is
a number from 1 to 65533 and is assigned to a device through IEEE 802.1X authentication, web
authentication, or MAC authentication bypass (MAB) by the ISE. Security group names are created
on the ISE and provide user-friendly names for security groups. The security group table maps SGTs
to security group names. Consult your ISE configuration for the valid tags and names.
group-object object_group_name—The name of an existing security group object group.
Chapter 2
Objects for Access Control
Chapter 6, "ASA and Cisco TrustSec."
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
