Cisco ASA Series Configuration Manual page 91
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 6
ASA and Cisco TrustSec
The ASA supports security policies based on security group names in the source or destination
•
fields, or both. You can configure security policies on the ASA based on combinations of security
groups, IP address, Active Directory group/user name, and FQDN.
Availability
•
You can configure security group-based policies on the ASA in both the Active/Active and
Active/Standby configurations.
•
The ASA can communicate with the ISE configured for high availability (HA).
•
You can configure multiple ISE servers on the ASA and if the first server is unreachable, it continues
to the next server, and so on. However, if the server list is downloaded as part of the Cisco TrustSec
environment data, it is ignored.
If the PAC file downloaded from the ISE expires on the ASA and it cannot download an updated
•
security group table, the ASA continues to enforce security policies based on the last downloaded
security group table until the ASA downloads an updated table.
Clustering
For Layer 2 networks, all units share the same IP address. When you change the interface address,
•
the changed configuration is sent to all other units. When the IP address is updated from the interface
of a particular unit, a notification is sent to update the IP-SGT local database on this unit.
For Layer 3 networks, a pool of addresses is configured for each interface on the master unit, and
•
this configuration is synchronized to the slave units. On the master unit, a notification of the IP
addresses that have been assigned to the interface is sent, and the IP-SGT local database is updated.
The IP-SGT local database on each slave unit can be updated with the IP address information for the
master unit by using the address pool configuration that has been synchronized to it, where the first
address in the pool for each interface always belongs to the master unit.
When a slave unit boots, it notifies the master unit. Then the master unit goes through the address
pool on each interface and computes the IP address for the new slave unit that sent it the notification,
and updates the IP-SGT local database on the master unit. The master unit also notifies the other
slave units about the new slave unit. As part of this notification processing, each slave unit computes
the IP address for the new slave unit and adds this entry to the IP-SGT local database on each slave
unit. All the slave units have the address pool configuration to determine the IP address value. For
each interface, the value is determined as follows:
Master IP + (M-N), where:
M—Maximum number of units (up to 8 are allowed)
N—Slave unit number that sent the notification
When the IP address pool changes on any interface, the IP addresses for all the slave units and the
master unit need to be recalculated and updated in the IP-SGT local database on the master unit, as
well as on every other slave unit. The old IP address needs to be deleted, and the new IP address
needs to be added.
When this changed address pool configuration is synchronized to the slave unit, as a part of
configuration change processing, each slave unit recomputes the IP address for the master unit and
for every other slave unit whose IP address has changed, then removes the entry for the old IP
address and adds the new IP address.
Cisco ASA Series Firewall CLI Configuration Guide
About Cisco TrustSec
6-9
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
