ASA 5505 and ISE

Hi, Wishing you all the best in the New Year!

I have a situation and need some advices.  I have a client deployed asa 5505 as easy vpn hard client (nem mode) on remote location, it is working great.  Client would like to lock down the built-in switchports to prevent issues when people plug random devices in to keep them off the network. 

One thing comes to mind - dot1x but asa and the built-in switch port does not support dot1x feature, so an external cisco switch is needed.  I would like not to add external device to asa 5505 if possible.  What are the other options?  Lock down authorized user PC's MAC address, it works but not flexible sicne user may be roaming around.  I am thinking posturing, can ISE support this and how to integrate with asa?  Any suggestion are appreciated. Thanks


  • Hey mate.

    Dot1x would be a good use case in this situation. I think ISE is a rather drastic solution if you are wanting to lock down just a few machine. Considering operating system and hardware costs.  With that being said, are you concerned with devices that plug into the ASA5505 itself or people plugging devices in on the end of existing runs? (ie asa----pc becomes asa------rogue laptop)?

    There are a few things you can do.

    1) Shutdown the interfaces not being used.
    This would work if end points are semi static. 


    ASA-1(config)# int e0
    ASA-1(config-if)# shutdown

    2) Assign to a dead security zone.
    This would work as by default it cannot communicate to anyone else. New ports would be switched over as required. 

    ASA-1(config)# int e0        

    ASA-1(config-if)# nameif BLACKHOLE

    3) Direct Authentication

    This would require to "login" to the ASA to allow them access.

    username cisco password cisco privilege 15

    access-list authmatch permit tcp any any eq 3389

    access-list authmatch permit tcp any host eq 5555

    aaa authentication match authmatch inside LOCAL

    aaa authentication listener http inside port 5555

    4) Outbound ACL

    This could allow the ranges or hosts specified through and then block others. It sounds like it is a small branch so defining hosts would be a task at first but rather static.

    ASA-1(config)# access-list OUTSIDE extended deny tcp 

    host eq www

    ASA-1(config)# access-group OUTSIDE out interface outside


Sign In or Register to comment.