ASA TrustSec Configuration

In this blog post, I'll go over the configuration of the ASA for TrustSec. This is for the native ASA code - not Firepower. I'll be going over Firepower separately in later blog posts.  I'll be going over the configuration of TrustSec, SXP, and writing SGACLs for the ASA in this post. I'll be mostly utilizing the ASDM to make things a little easier and simpler to follow along with.

The first thing I'm going to do is log into ISE and navigate to Administration>Network Devices and click Add if you haven't already added the ASA to ISE. If you have, check the box next to TrustSec and add the relevant information for TrustSec such as checking the box for Use Device ID for TrustSec, enter a password, check the box next to Other TrustSec devices to trust this device, and check the box next to Send configuration changes to device:

Under PAC information, Click the Generate PAC button and a pop-up window will come up. Choose an encryption key that is at least 8 characters long and download it:

Click Submit when done.

Log into the ASDM on the ASA and navigate to Configuration>Firewall>Identity by TrustSec:

Click the Manage button next to the Server Group Name and add ISE as a RADIUS server:


Click Add under Servers in the Selected Group and add the following:

Close out this window and you'll be back to the Configuration>Firewall>Identity by TrustSec window. In the drop-down, choose the new server group you created:

Click on Import PAC and import the PAC you downloaded from ISE:

Click Apply at the bottom.


Navigate to Monitoring>Properties>Identity by TrustSec>PAC in the ASDM where you should now be able to view your PAC information:

Navigate to Monitoring>Properties>Identity By TrustSec>Environmental Data to verify the SGTs have been downloaded:


Navigate to Configuration>Device Setup>Interfaces and choose edit for the inside interface. Check the box for Enable secure group tagging for Cisco TrustSec, Tag egress packets with secure group tags, Assign a static secure group tag to all ingress packets and select a tag number to use. 

Click Ok and then Apply.

Do the same for Management1/1.

Navigate back to Configuration>Firewall>Identity By TrustSec and check the box for Enable SGT Exchange Protocol (SXP). In the Default Source box, enter the inside interface's IP address and enter a default password to use for SXP:


Click Add to add ISE as the connection peer:

Click Apply when finished.

In ISE, navigate to Work Centers>TrustSec>SXP and click Add. Add the ASA: 


After clicking Save, you should see the peer status as On:

Back in the ASDM, navigate to Monitoring>Properties>Identity By TrustSec>SXP Connections to view the established connection on this side as well:

Navigate to Monitoring>Properties>Identity By TrustSec>IP Mappings to view all the IP-SGT mappings (if any):

If you would like to create firewall rules backed on SGTs, navigate to Configuration>Firewall>Access Rules and click New. In this case, I'm going to create a rule that states that the Blacklist tag cannot communicate with anyone or any other tags:

Click Apply. You can also create a more specific rule for ASDM to block someone from accessing something specific just to test it out. In this case, I'm going to block Domain Admins from ICMP traffic to unknown tag:

You can test this ACL by logging in as a Domain Admin and trying to ping something on the internet. It should be denied.