Table of Contents
The ASA CX module might be a hardware module or a software module, depending on your ASA model. For ASA model software and hardware compatibility with the ASA CX module, see Cisco ASA Compatibility at http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html.
The ASA CX module lets you enforce security based on the complete context of a situation. This context includes the identity of the user (who), the application or website that the user is trying to access (what), the origin of the access attempt (where), the time of the attempted access (when), and the properties of the device used for the access (how). With the ASA CX module, you can extract the full context of a flow and enforce granular policies such as permitting access to Facebook but denying access to games on Facebook or permitting finance employees access to a sensitive enterprise database but denying the same to other employees.
The ASA CX module runs an application that is separate from the ASA. Configuring the ASA CX module requires two parts: the ASA CX policy configuration, using Cisco Prime Security Manager (PRSM); and the ASA policy for redirecting traffic to the ASA CX module, using ASDM.
The ASA CX module might include an external management interface (and console port) so you can connect to the ASA CX module directly; if it does not have a management interface, you can connect to the ASA CX module through the ASA interface. Any other interfaces on the ASA CX module, if available for your model, are used for ASA traffic only.
Traffic undergoes the firewall checks on the ASA before being forwarded to the ASA CX module. When you identify traffic for ASA CX inspection on the ASA, traffic flows through the ASA and the ASA CX module as described in the following steps:
The following figure shows the traffic flow when using the ASA CX module. In this example, the ASA CX module automatically blocks traffic that is not allowed for a certain application. All other traffic is forwarded through the ASA.
In addition to providing management access to the ASA CX module, the ASA CX management interface needs access to an HTTP proxy server or a DNS server and the Internet for signature updates and more. This section describes recommended network configurations. Your network may differ.
If you have an inside router, you can route between the management network, which can include both the ASA Management 0/0 and ASA CX Management 1/0 interfaces, and the ASA inside network for Internet access. Be sure to also add a route on the ASA to reach the Management network through the inside router.
If you have only one inside network, then you cannot also have a separate management network, which would require an inside router to route between the networks. In this case, you can manage the ASA from the inside interface instead of the Management 0/0 interface. Because the ASA CX module is a separate device from the ASA, you can configure the ASA CX Management 1/0 address to be on the same network as the inside interface.
If you have an inside router, you can route between the Management 0/0 network, which includes both the ASA and ASA CX management IP addresses, and the inside network for Internet access. Be sure to also add a route on the ASA to reach the Management network through the inside router.
If you have only one inside network, then you cannot also have a separate management network. In this case, you can manage the ASA from the inside interface instead of the Management 0/0 interface. If you remove the ASA-configured name from the Management 0/0 interface, you can still configure the ASA CX IP address for that interface. Because the ASA CX module is essentially a separate device from the ASA, you can configure the ASA CX management address to be on the same network as the inside interface.
Note You must remove the ASA-configured name for Management 0/0; if it is configured on the ASA, then the ASA CX address must be on the same network as the ASA, and that excludes any networks already configured on other ASA interfaces. If the name is not configured, then the ASA CX address can be on any network, for example, the ASA inside network.
The default ASA configuration lets you connect to the default management IP address (192.168.1.1). Depending on your network, you might need to change the ASA management IP address, or even configure additional ASA interfaces for ASDM access (see the “Connecting the ASA CX Management Interface” section). For the ASA 5512-X through ASA 5555-X, if you do not have a separate management network (see the “If you do not have an inside router” section), you need to configure an inside interface for management, and you need to remove the name from the Management 0/0 interface. To change interface and management settings, see the ASA configuration guide.
If you cannot use the default management IP address, then you can set the management IP address from the ASA. After you set the management IP address, you can access the ASA CX module using SSH to perform initial setup.
Note For a software module, you can access the ASA CX CLI to perform setup by sessioning from the ASA CLI; you can then set the ASA CX management IP address as part of setup. See the “Configuring Basic ASA CX Settings at the ASA CX CLI” section.
Step 3 Enter the new management IP address, subnet mask, and default gateway. See the “Connecting the ASA CX Management Interface” section to understand the requirements for your network.
If you purchase the ASA with the ASA CX module, the module software and solid state drive(s) (SSDs) come pre-installed and ready to go. If you want to add the ASA CX to an existing ASA, or need to replace the SSD, you need to install the ASA CX boot software and partition the SSD according to this procedure. Only Cisco SSDs are supported. To physically install the SSD, see the ASA hardware guide.
Step 2 Download the ASA CX system software from Cisco.com to an HTTP, HTTPS, or FTP server accessible from the ASA CX management interface. If you have a Cisco.com login, you can obtain the system software from the following website:
Step 3 In ASDM, choose Tools > File Management, and then choose File Transfer > Between Local PC and Flash. Transfer the boot software to disk0 on the ASA. Do not transfer the system software; it is downloaded later to the SSD.
Step 8 Wait approximately 5 minutes for the ASA CX module to boot up, and then open a console session to the now-running ASA CX boot image. The default username is admin and the default password is Admin123.
Step 10 Perform the basic network setup using the setup command according to the “Configuring Basic ASA CX Settings at the ASA CX CLI” section (do not exit the ASA CX CLI), and then return to this procedure to install the software image.
Step 11 Install the system software from the HTTP, HTTPS, or FTP server where you copied the system software (see Step 2):Warning: Please do not interrupt the process or turn off the system. Doing so might leave system in unusable state.
Step 4 After you complete the final prompt, you are presented with a summary of the settings. Look over the summary to verify that the values are correct, and enter Y to apply your changed configuration. Enter N to cancel your changes.
Note When using PRSM in multiple device mode, you can configure the ASA policy for sending traffic to the ASA CX module within PRSM, instead of using ASDM. However, PRSM has some limitations when configuring the ASA service policy; see the ASA CX user guide for more information.
If you enable the authentication proxy on the ASA using this procedure, be sure to also configure a directory realm for authentication on the ASA CX module. See the ASA CX user guide for more information.
If you have an active service policy redirecting traffic to an IPS module (that you replaced with the ASA CX), you must remove that policy before you configure the ASA CX service policy.
Step 9 In the If ASA CX Card Fails area, click Permit traffic or Close traffic. The Close traffic option sets the ASA to block all traffic if the ASA CX module is unavailable. The Permit traffic option sets the ASA to allow all traffic through, uninspected, if the ASA CX module is unavailable.
This section describes how to launch PRSM to configure the ASA CX module application. For details on using PRSM to configure your ASA CX security policy, see the following ASA CX documentation roadmap: http://www.cisco.com/en/US/docs/security/asacx/roadmap/asacxprsmroadmap.html.
Note If you do not configure any policies on the ASA CX, all traffic redirected to the ASA CX will be allowed by default, and you can view the various reports in the ASA CX web interface to analyze the traffic.
Where the ASA CX management IP address is the one you set in the “Configuring Basic ASA CX Settings at the ASA CX CLI” section.
- For detailed information about managing the ASA CX module from the ASA, see the ASA CX chapter in the firewall configuration guide: