Cisco Systems ASA5515K9, ASA 5500 Deployment Scenarios

36-4

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter36 Configuring the Identity Firewall

Information About the Identity Firewall

•Supports the combination of 5-tuple policies with ID-based policies. The identity-based feature

works in tandem with existing 5-tuple solution.

•Supports usage with IPS and Application Inspection policies.

•Retrieves user identity information from remote access VPN, AnyConnect VPN, L2TP VPN and

cut-through proxy. All retrieved users are populated to all ASA devices connected to the AD Agent.

Scalability

•Each AD Agent supports 100 ASA devices. Multiple ASA devices are able to communicate with a

single AD Agent to provide scalability in larger network deployments.

•Supports 30 Active Directory servers provided the IP address is unique among all domains.

•Each user identity in a domain can have up to 8 IP addresses.

•Supports up to 64,000 user identity-IP address mappings in active ASA policies for ASA 5500

Series models. This limit controls the maximum users who have policies applied. The total users are

the aggregated users configured on all different contexts.

•Supports up to 1024 user identity-IP address mappings in active ASA policies for the ASA 5505.

•Supports up to 256 user groups in active ASA policies.

•A single rule can contain one or more user groups or users.

•Supports multiple domains.

Availability

•The ASA retrieves group information from Active Directory and falls back to web authentication

for IP addresses that the AD Agent cannot map a source IP address to a user identity.

•The AD Agent continues to function when any of the Active Directory servers or the ASA are not

responding.

•Supports configuring a primary AD Agent and a secondary AD Agent on the ASA. If the primary

AD Agent stops responding, the ASA can switch to the secondary AD Agent.

•If the AD Agent is unavailable, the ASA can fall back to existing identity sources such as cut through

proxy and VPN authentication.

•The AD Agent runs a watchdog process that automatically restarts its services when they are down.

•Allows a distributed IP address/user mapping database among ASA devices.

Deployment Scenarios

You can deploy the components of the Identity Firewall in the following ways depending on your

environmental requirement.

As shown in Figure 36-2, you can deploy the components of the Identity Firewall to allow for

redundancy. Scenario 1 shows a simple installation without component redundancy.

Scenario 2 also shows a simple installation without redundancy. However, in that deployment scenario,

the Active Directory server and AD Agent are co-located on one Windows server.