I have a customer who wants a stateful packet inspection firewall that will be responsible for controlling outbound traffic for internal users. They have a separate firewall that will deal with blocking inbound traffic. The want the ability to make allow/deny decisions based on user name and/or group membership. The allow/deny decisions will be strictly port/protocol based and they want the ability to specifically allow or deny all TCP and UDP ports and ICMP traffic on a user by user basis. The firewall needs to integrate with eDirectory (first choice) and/or Active Directory and they want, in effect, single sign on functionality so that users log in to the domain and the firewall then uses those domain credentials. They have looked at single sign on options but don?t want to install additional desktop clients.
Sounds like your customer is working hard, and not smart. :o)
The simple solution would be to add an Access Control Server and point the firewall to it. Setup the groups and assign the users accordingly. If you need to permit/deny based on time, you could configure "Time-Based" ACLs.
note: you can also configure the ACS to talk to AD.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...