cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
901
Views
0
Helpful
5
Replies

Cisco ASA identity firewall

Hello,

I'd like to implement identity firewall on Cisco ASA. I've been reading the following doc,

https://supportforums.cisco.com/docs/DOC-20366

however, in my case I have two Windows Domain Controller, named FoA for example, where the agent is also installed, and

two other Windows Domain Controller, named FoB for example. Actually users are in FoB Domain Controllers AD. My question is .. for I cannot query directly FoB I'd like to create a one way trust from FoA to FoB, then firewalls should query FoA. Do you think it can works ?

I hope my question is understandable

Thank you

1 Accepted Solution

Accepted Solutions

jgoldyn
Level 1
Level 1

The workstation also has to be a member of the domain. So the end user must log into the domain from from a workstation on the domain.

Hope that helps!


Sent from Cisco Technical Support Android App

View solution in original post

5 Replies 5

jgoldyn
Level 1
Level 1

Hi,

Is  your AD environment a single forest with multiple domains or multiforest and multiple domains?

If its single forest then there should already be an inherent two-way trust between the domains.

If its multi forest then a two way trust will need to be established between the domains or a two-way forest trust relationship can be established.

Thanks!

I give up the domain trust solution so I will install agent on DC where I have users to include in identity-based access rules. Let me ask you one more question: User identity-IP address mapping is possible if a user is in active directory but his pc is not in that domain?

jgoldyn
Level 1
Level 1

The workstation also has to be a member of the domain. So the end user must log into the domain from from a workstation on the domain.

Hope that helps!


Sent from Cisco Technical Support Android App

Thanks,

so let's suppose a user is in domain but not his workstation and hi is included into an identity-based access rule (regardless of the destination port), will a popup windows to authenticate be prompted to the user ?

jgoldyn
Level 1
Level 1

No the asa will not prompt for authentication, there is no mechanism for the ASA to do that.

Thanks,
Joe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: