Friday, August 26, 2011

Cisco Identity Firewall ASA intergration with AD for firewall rules

Hey Guys

So this feature is pretty damn cool in my opinion, this feature is called Cisco ASA identity firewall

This feature is available in ASA Firmware 8.4.2, is part of the base License and looks great

Basically what it allows you to do is configure firewall rules not based on IP address but based on username or group membership in AD! The user doesn't need to login or anything complicated for this to work.

what happens is, The Cisco ASA talks to a piece of free software available from Cisco (no license required) that connects to AD and maps logged in users to IP addresses, in the background this is what the ASA Is looking at when it is evaluating access rules, but when your configuring it, you just say "block all Internet Traffic for users belonging to this group"

To quote Cisco:

"The key benefits of the Identity Firewall include:
• Decoupling network topology from security policies
• Simplifying the creation of security policies
• Providing the ability to easily identify user activities on network resources
• Simplify user activity monitoring

So, just to run you through the scenario

Let's say you have a user, User X who is a very important executive, this Very important executive travels all over to diffirent sites on your WAN, so his IP might be totally different each time, he also loves to VPN into your network all the time.

He INSISTS that he is able to run Bit Torrent when he is plugged into the network, but of course you ban it for everyone else.

So, what do you do in a normal situation? Put his Office in a separate VLAN and assign him a separate IP? Yep that could work for his office, but what about when he travels to different sites, what about when he connects over the VPN?

With Identity Firewall, you just specify an access-list that looks something like this:

access-list internetOut permit ip user DCDOMAIN\ImportantExecutive any any

You can see from the above, basically you just reference it as the Windows Domain ID then the userID

You could also specify a group

hostname(config)# access-list aclname extended
permit ip user-group SAMPLE\\ any any

What happens is, when the ASA is evaluating the rules, it queries the AD Connect Agent that you installed on a windows server, which keeps a mapping of the IP address to windows login details (it gets this info from Microsoft AD) the AD connect agent is constantly updating as users log in and out, it also receives information from the ASA whenever a user log's in to the VPN and makes sure it gets their IP address details too!

You can see how this could greatly simplify your firewall configuration and allow rapid changes. It is a powerful tool and I can't wait to get my hands on ASA running 8.4.2 to try it out and show you all how to configure it! (Donations of ASA's kindly welcomed :p)


  1. Hey Peter,

    Great post, stuff like this that let's noobs like myself use powerful features easily are a great help.



  2. Hi Peter,

    This is Harris Andrea from networkstraining.

    I have seen this feature on the new release of Cisco ASA 8.4 and said to myself "finally Cisco is following what all the other vendors are doing for so long now".

    Indeed is a great feature. Fortinet and Checkpoint had this feature long time ago, so its good that Cisco is following along.

    Thanks for posting.


  3. Hi Tim

    I sure am glad you liked it, I wish I had an ASA to test it for you and post more detailed configuration but an ASA is a missing device from my little lab (I have a PIX 515 but that can't run this version of code 8.4.2, neither can GNS3)

  4. What about if user is logged on a Terminal server? Does it mean that all users from that Terminal server will be able to access the same resources?