Cisco Systems CL-28826-01

13-6

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 13 Managing Identity-Aware Firewall Policies

Overview of Identity-Aware Firewall Policies

DNS configuration

(Required for fully-qualified

domain name usage.)

If you use fully-qualified domain name (FQDN) network/host objects

in firewall rules, you must configure the domain name system (DNS)

settings as described in DNS Page, page 51-13. These settings identify

the DNS servers used for looking up the names to determine the

associated IP address. All processing is ultimately based on the IP

address.

When configuring DNS for FQDN usage, consider the following

points:

•DNS replies can be spoofed, which can open a security hole in your

network. Specify only trusted DNS servers, ideally only those

inside your network.

•Some hosts can have constantly changing multiple IP addresses, so

the ASA might not always have all valid IP addresses at any one

time.

•Host names with short time to live values will require frequent

DNS lookups; this can impact the performance of the ASA.

•Multiple host names can resolve to the same IP address. Ultimately,

the firewall rules are applied based on IP address. Thus, if two

names map to the same address, and your rules specify different

services for those names, the service that is actually provided will

be those specified on the first matched rule.

Looked at another way, this means that you do not need to specify

every version of an FQDN host name in your rules. When you

know that several names always point to the same host, you can

configure rules for the most commonly-used name and they will

apply to all synonyms of that name.

Maximum limits There are limits to the number of users, user groups, and IP addresses

per user. If these limits are exceeded, identity-aware processing will not

occur for the additional traffic:

•IP address limits—A user can be associated with at most 8 IP

addresses across all domains.

•User group limits—Policies can be applied to up to 256 user

groups. Users can be in multiple user groups.

•User limits—Policies can be applied to up to the following number

of users. This number is the total aggregate across all contexts

defined on the device.

–

ASA 5505—1024 users.

–

Other ASA 5500 series—64,000 users.

Table13-1 Requirements for Identity-Aware Firewall Policies (Continued)

Requirement Description