View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0063 - ISE 1.1 Security Group Access (SGA) with ASA 9.1 TrustSec (Part 2)

Average: 5 (2 votes)
Difficulty Level: 
Lab Document: 
<Please login to see the content>

The video demonstrates Cisco TrustSec support on Cisco ASA 9.1 with Cisco ISE. This lab is based on a 3750 switch that is not TrustSec hardware-capable but able to communicate IP-to-SGT mapping via SGT Exchange Protocol (SXP) to the ASA. We will be constructing an ACL based on SGT using the new Security object group. Cisco ISE will be mainly used to provide user authentication, SGT assignment, and the SGT-to-Name mapping to the ASA, although we will go over the remaining web interfaces for Security Group Access (SGA) and what you would need to configure to support the complete TrustSec implementation.

In part 2, we will configure SXP communication between switch and ASA, and integrate the ASA with Cisco ISE to download the SGT-to-Name mapping table. We will then construct an ACL on the ASA and perform testing.


  • Security Group Access (SGA)
  • Security Group ACL (SGACL)
  • Security Group Tag (SGT)
  • SGT Exchange Protocol (SXP)
  • SGT-to-Name Mapping
  • Cisco TrustSec support on ASA 9.1
  • SXP Config on a Switch and ASA
  • Security object Group


  • SXP uses TCP 64999 so can work multiple hop


Cisco TrustSec

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


Hello Metha,
I how would Trustsec fit in in a network with No ASA, i have only Palo as my FW. would I be able still to implement Cisco Trust sec even without asa? I have Currently ISE in my network doing the guest and byod wireless auth.


TrustSec is specific to Cisco product, and to our knowledge, no other vendors integrates with it, certainly not Palo. 

Thanks Meta! Just to share some info from the community of ISE as well, they say partially it can be done without Cisco ASA, switch can be incorporated though.

Correct.. switch is the integral part of Cisco TrustSecand we have videos on those. Thank you for sharing.

Hello Meta
For connection Network _Admin - HTTP server on Internet, Is ASA FW is stateful traffic for tag? I can see the SYN is tagged with 100, the SYN_ACK from HTTP server is untagged, no policy for untagged , so how can Network_Admin get access to WEB? I know ASA is stateful for TCP IP. PLAESE HELP.

Once the tagged traffic is permitted by the FW, the return traffic is automatically allowed due to statefulness of the FW.

Thank you.
For same connection Network _Admin - HTTP server on Internet, After pass the FW, the untagged SYN_ACK from HTTP Server hit SW1,because the default policy of SGT (ISE matrix) is passed all, that is why this SYN_ACK is able to pass SW1 --> to user admin1.
IS my thinking correct? . PLEASE HELP.