Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA Basic URL Filtering based on Active Directory Group?

I have a client who is looking to upgrade their current firewall / proxy.  The customer currently only uses the proxy to filter who is allowed access to the internet.  I am looking to solve this problem on a single device (ASA).  In particular they have an ASA 5510 but would be looking to upgrade it.  They currently classify users as "no internet", "selected sites", "internet", and "full access" in AD (Win Srv 2012).  "No Internet" users are blocked to all sites except a few sites like UPS and their time clock SaaS provider.  "Selected Sites" are allowed to a list of sites that the IT manager updates.  "Internet" and "Full Access" are now similar in that they are allowed to all sites. (Use to have URL category filtering but don't subscribe anymore.)

I am looking to have the firewall check AD to see what group the user is in and then apply a rule (access list, etc) based on the group.

Ideally, I would like to make this as simple to manage as possible (current proxy has web interface to add sites to allow) but don't want to spend a ton on modules and software just to get 1 feature.


Cisco Employee

Hi,I think this can be


I think this can be achieved using the Identity Firewall configuration on the ASA device:-

Note:- This feature has been introduced from ASA 8.4.2

You would need CDA for it to work.

Thanks and Regards,

Vibhor Amrodia

Community Member

Unfortunately, as I

Unfortunately, as I understand it, this solution allows an IP based on username.  Since they use remote desktop services and most users would end up having the same IP (of the Terminal Server Host), it would allow everyone on the TS, not just the individual user.


Hall of Fame Super Silver

You're correct - Identity

You're correct - Identity Firewall features don't work in the use case of multiple TS users coming from the same address. There is an unresolved enhancement request filed for this issue.

Even if you had a 5500-X series with WSE and AVC NGFW services on the CX module and use identity-based policies there, you still have the constraint that the CX maps authenticated users to IP addresses to record that a given source has been authenticated. Reference.

A non-Cisco solution is available for this use case using Palo Alto Networks' User-ID Terminal Services agent in conjunction with their firewall. Reference.


CreatePlease to create content