36-20
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter36 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
Configuring Identity-based Access Rules
An access rule permits or denies traffic based on the protocol, a source and destination IP address or
network, and the source and destination ports. For information about access rules, see in Chapter34,
“Configuring Access Rules.”
The Identity Firewall feature adds the ability to permit or deny traffic based on a users’ identities or
based on a user group. You configure access rules and security policies based on user names and user
groups name in addition to source IP addresses. The ASA applies the security policies based on an
association of IP addresses to Windows Active Directory login information and reports events based on
the mapped user names instead of network IP addresses.
Users can be local, remote (via VPN), wired or wireless. Server resources can include server IP address,
server DNS name, or domain.
Identity-based access rules follow the same general format that standard IP-address-based rules follow:
action, protocol, source, destination, and optional source service when the protocol for the rule is TCP
or UDP. In addition, they include specifying user and user group objects before traditional
IP-address-based objects—any, network object/network group, interface, host, IP address, and network
mask.
You can create access rules that solely contain identity-based objects (users and user groups) or combine
identity-based objects with traditional IP-address-based objects. You can create an access rule that
includes a source user or source user group from a qualifying IP-address-based source. For example, you
could create and access rule for sample_user1 11.0.0.0 255.0.0.0, meaning the user could have any IP
address on subnet 11.0.0.0/8.
You can create an access rule with FQDN in the source and the destination.
The destination portion of an identity-based access rule follows the same format and guidelines as
traditional IP-address-based access rules.
Guidelines and Limitations
Supports up to 64,000 user identity-IP address mappings in active ASA policies for ASA 5500
Series models.
This limit controls the maximum users who have policies applied. The total users are the aggregated
users configured on all different contexts.
Supports up to 1024 user identity-IP address mappings in active ASA policies for the ASA 5505.
This limit controls the maximum users who have policies applied. The total users are the aggregated
users configured on all different contexts.
Supports up to 256 user groups in active ASA security policies.
A single rule can contain one or more user groups or users.
Prerequisites
After AD domain and AD-Agent are configured, Identity-based rules can be specified to enforce
identity-based rules.
To configure identity-based access rules, perform the following steps: