Cisco ASA Series Cli Configuration Manual page 914

Configuring the ASA for Cisco TrustSec Integration
•
•
•
•
•
•
Configuring the ASA for Cisco TrustSec Integration
This section contains the following topics:
•
Cisco ASA Series CLI Configuration Guide
1-10
When changing the ASA local IP address, you must ensure that all SXP peers have updated their
peer list. Likewise, if an SXP peers changes its IP addresses, you must ensure those changes are
reflected on the ASA.
Automatic PAC file provisioning is not supported. The ASA administrator must request the PAC file
from the ISE administrative interface and import it to the ASA. For information about the PAC file,
see Generating the PAC File, page 1-8
page 1-13.
PAC files have expiration dates. You must import the updated PAC file before the current PAC file
expires; otherwise, the ASA will not be able to retrieve environment data updates.
When a security group changes on the ISE (for example, it is renamed or deleted), the ASA does not
change the status of any ASA security policies that contain an SGT or security group name
associated with the changed security group; however, the ASA generates a system log message to
indicate that those security policies changed.
See Refreshing Environment Data, page 1-19
group table on the ASA to pick up changes from the ISE.
The multicast types are not supported in ISE 1.0.
An SXP connection stays in the initializing state among two SXP peers interconnected by the ASA;
as shown in the following example:
(SXP peer A) - - - - (ASA) - - - (SXP peer B)
Therefore, when configuring the ASA to integrate with Cisco TrustSec, you must enable the
no-NAT, no-SEQ-RAND, and MD5-AUTHENTICATION TCP options on the ASA to configure
SXP connections. Create a TCP-state-bypass policy for traffic destined to SXP port TCP 64999
among the SXP peers. Apply the policy on the appropriate interfaces.
For example, configure the ASA as shown in this sample configuration for a TCP-state-bypass
policy:
access-list SXP-MD5-ACL extended permit tcp host peerA host peerB eq 64999
access-list SXP-MD5-ACL extended permit tcp host peerB host peerA eq 64999
tcp-map SXP-MD5-OPTION-ALLOW
tcp-options range 19 19 allow
class-map SXP-MD5-CLASSMAP
match access-list SXP-MD5-ACL
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class SXP-MD5-CLASSMAP
set connection random-sequence-number disable
set connection advanced-options SXP-MD5-OPTION-ALLOW
set connection advanced-options tcp-state-bypass
service-policy global_policy global
Task Flow for Configuring the ASA to Integrate with Cisco TrustSec, page 1-11
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec
and Importing a Protected Access Credential (PAC) File,
for information about manually updating the security