Filter
Top Products
13-26
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 13 Managing Identity-Aware Firewall Policies
Configuring Identity-Aware Firewall Policies
Step 1 Do one of the following:
• (Device view) Select an ASA device, then select Platform > Service Policy Rules > IPS, QoS, and
Connection Rules from the Policy selector.
• (Policy view) Select PIX/ASA/FWSM Platform > Service Policy Rules > IPS, QoS, and
Connection Rules from the Policy Type selector. Select an existing policy or create a new one.
Step 2 Select the row after which you want to add the rule, then click the Add Row (+) button below the table
to start the Insert Service Policy Rule wizard.
Step 3 In step 1 of the wizard, select whether the rule will be Global or it will apply to specific interfaces or
interface roles. Select Global if you want to collect statistics for users regardless of which interface their
traffic passes through.
Click Next.
Step 4 In step 2, select the traffic class that defines the traffic for which you are collecting statistics. Select Use
class-default if you want to collect statistics on all traffic. Otherwise, select Traffic Class and select the
traffic flow object that defines the traffic matching attributes.
Click Next.
Step 5 In step 3, select the User Statistics tab.
• Select Enable user statistics accounting.
• Select the type of information you want to collect:
–
Account for sent drop count
–
Account for sent packet, sent drop and received packet count
Step 6 Click Finish to save your rule.
Filtering VPN Traffic with Identity-Based Rules
When you support remote access VPNs on an ASA, you configure user-sensitive access. You can also
use identity-based rules to filter the traffic after validating the remote user access.
Before creating identity-based rules for VPN, understand the rules for VPN user names, to ensure that
the rules use the correct domain name:
• If you use an Active Directory LDAP server group for authorization, and you configured that
domain/server group in the Identity Options policy, the username is associated with the NetBIOS
domain.
• For all other authorization mechanisms, the domain name for VPN users is LOCAL.
With this in mind, there are two methods you can use to filter the traffic on the VPN with identity-based
ACL rules:
• Apply a VPN filter in the ASA Group Policy object. The filter applies to all users in the group. You
can configure a VPN filter on the Connection Settings page in an ASA Group Policy object, which
you use in a remote access connection policy. See ASA Group Policies Connection Settings,
page 33-22.
• By default, VPN traffic bypasses interface access rules. You can change this behavior so that all
VPN traffic must also pass through the interface access rules. If you take this approach, you must
ensure that the interface rules are sensitive to your VPN traffic. To force VPN traffic to go through