ASA VPN SGT propagation of SGT/IP mapping to all corporate firewalls
When a user logs in through SSLVPN (Anyconnect) on an ASA and receives an SGT from ISE, is it possible to propagate the SGT/IP mapping to all other firewalls in the corporate network using SXP? I assume the SSLVPN ASA would be the SXP speaker and all other ASA firewalls would be listeners.
Is there any reason that you wouldn't want to do this or is it something that is commonly done? Any scaling issues (limit on SXP peers...)?
The goal is to assign an SGT to VPN users and enforce access control on firewalls throughout the corporate network based SGT/IP mapping propagated from the VPN firewall. I would prefer not to enable TrustSec on any other device in the network. I was originally going to do identity-based firewall with VPN users, but as far as I can tell it lacks the ability to enforce access by group in a centralized manner.
RA users authenticated via RADIUS by ISE, SGT tags are assigned as part of authorization.
I need ASA acts as SXP speaker in order to deliver RA user's SGT tags to ISR_G2, but this doesn't happen :(. I see sgt tags in "debug radius" on ASA, but these tags don't appear in local IP<->SGT binding database, therefore no SXP updates are triggered.
In accordance to trustsec compatibility matrix this functionality is supported (http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...