One of my customers has requested a L2L IPSec tunnel between a 3rd party ASA5505 and their central office 5510.
The tunnel works fine but they have asked to enable Identity Firewall against the incoming connections in relation to the IPSec tunnel.
I've read about sysopt and vpn filter. So there are 2 choices.
1. Disable access rule bypass for VPN connections via the sysopt command and configure the access rules accordingly.
2. Use the vpn filter mechanism and define the ACL / ACE w/ the Identity Firewall.
This is an excerpt from the Identity Firewall chapter ASA 9.0/ASDM 7.0.
VPN filter—Although VPN does not support identity firewall ACLs in general, you can use configure the ASA to enforce identity-based access rules on VPN traffic. By default, VPN traffic is not subject to access rules. You can force VPN clients to abide by access rules that use an identity firewall ACL (
no sysopt connection permit-vpn
command). You can also use an identity firewall ACL with the VPN filter feature; VPN filter accomplishes a similar effect as allowing access rules in general.
Has anyone attempted and succeeded with such a configuration? If so, did it support AD authentication or LOCAL only?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :