ASA CX Module

ASA CX Module
CH A P T E R
18
ASA CX Module
This chapter describes how to configure the ASA CX module that runs on the ASA.
•
The ASA CX Module, page 18-1
•
Licensing Requirements for the ASA CX Module, page 18-6
•
Prerequisites for ASA CX, page 18-6
•
Guidelines for ASA CX, page 18-6
•
Defaults for ASA CX, page 18-8
•
Configure the ASA CX Module, page 18-8
•
Managing the ASA CX Module, page 18-19
•
Monitoring the ASA CX Module, page 18-21
•
Troubleshooting Problems with the Authentication Proxy, page 18-23
•
History for the ASA CX Module, page 18-24
The ASA CX Module
The ASA CX module lets you enforce security based on the full context of a situation. This context
includes the identity of the user (who), the application or website that the user is trying to access (what),
the origin of the access attempt (where), the time of the attempted access (when), and the properties of
the device used for the access (how). With the ASA CX module, you can extract the full context of a
flow and enforce granular policies such as permitting access to Facebook but denying access to games
on Facebook, or permitting finance employees access to a sensitive enterprise database but denying the
same access to other employees.
•
How the ASA CX Module Works with the ASA, page 18-2
•
ASA CX Management Access, page 18-4
•
Authentication Proxy for Active Authentication, page 18-5
•
Compatibility with ASA Features, page 18-5
Cisco ASA Series Firewall ASDM Configuration Guide
18-1
Chapter 18
ASA CX Module
The ASA CX Module
How the ASA CX Module Works with the ASA
The ASA CX module runs a separate application from the ASA. The module can be a hardware module
(on the ASA 5585-X) or a software module (5512-X through 5555-X). As a hardware module, the device
includes separate management and console ports, and extra data interfaces that are used directly by the
ASA and not by the module itself.
You can configure your device in either a normal inline mode or in monitor-only mode for demonstration
purposes.
•
In an inline deployment, the actual traffic is sent to the device, and the device’s policy affects what
happens to the traffic. After dropping undesired traffic and taking any other actions applied by
policy, the traffic is returned to the ASA for further processing and ultimate transmission.
•
In a monitor-only deployment, a copy of the traffic is sent to the device, but it is not returned to the
ASA. Monitor-only mode lets you see what the device would have done to traffic without impacting
the network. You can configure this mode using a monitor-only service policy or a traffic forwarding
interface. For guidelines and limitations for monitor-only mode, see Guidelines for ASA CX,
page 18-6.
The following sections explain these modes in more detail.
ASA CX Normal Inline Mode
In normal inline mode, traffic goes through the firewall checks before being forwarded to the ASA CX
module. When you identify traffic for ASA CX inspection on the ASA, traffic flows through the ASA
and the ASA CX module as follows:
1.
Traffic enters the ASA.
2.
Incoming VPN traffic is decrypted.
3.
Firewall policies are applied.
4.
Traffic is sent to the ASA CX module.
5.
The ASA CX module applies its security policy to the traffic, and takes appropriate actions.
6.
Valid traffic is sent back to the ASA; the ASA CX module might block some traffic according to its
security policy, and that traffic is not passed on.
7.
Outgoing VPN traffic is encrypted.
8.
Traffic exits the ASA.
The following figure shows the traffic flow when using the ASA CX module. In this example, the ASA
CX module automatically blocks traffic that is not allowed for a certain application. All other traffic is
forwarded through the ASA.
Cisco ASA Series Firewall ASDM Configuration Guide
18-2
Chapter 18
ASA CX Module
The ASA CX Module
Figure 18-1
ASA CX Module Traffic Flow in the ASA
ASA
Main System
Firewall
Policy
inside
VPN
Decryption
outside
Diverted Traffic
333470
Block
ASA CX inspection
ASA CX
Service Policy in Monitor-Only Mode
For testing and demonstration purposes, you can configure the ASA to send a duplicate stream of
read-only traffic to the ASA CX module, so you can see how the module inspects the traffic without
affecting the ASA traffic flow. In this mode, the ASA CX module inspects the traffic as usual, makes
policy decisions, and generates events. However, because the packets are read-only copies, the module
actions do not affect the actual traffic. Instead, the module drops the copies after inspection. The
following figure shows the ASA CX module in monitor-only mode.
Figure 18-2
ASA CX Monitor-Only Mode
ASA
Main System
Firewall
Policy
inside
VPN
Decryption outside
Copied Traffic
ASA CX
303698
ASA CX inspection
Traffic-Forwarding Interface in Monitor-Only Mode
You can alternatively configure ASA interfaces to be traffic-forwarding interfaces, where all traffic
received is forwarded directly to the ASA CX module without any ASA processing. For testing and
demonstration purposes, traffic-forwarding removes the extra complication of ASA processing.
Traffic-forwarding is only supported in monitor-only mode, so the ASA CX module drops the traffic
after inspecting it. The following figure shows the ASA GigabitEthernet 0/3 interface configured for
traffic-forwarding. That interface is connected to a switch SPAN port so the ASA CX module can inspect
all of the network traffic.
Cisco ASA Series Firewall ASDM Configuration Guide
18-3
Chapter 18
ASA CX Module
The ASA CX Module
Figure 18-3
ASA CX Traffic-Forwarding
ASA
Switch
Gig 0/2 outside
inside
VPN
Decryption
Firewall
Policy
Forwarded Traffic
ASA CX inspection
ASA CX
Backplane
Gig 0/3
SPAN
Port
303699
Main System
ASA CX Management Access
There are two separate layers of access for managing an ASA CX module: initial configuration (and
subsequent troubleshooting) and policy management.
•
Initial Configuration, page 18-4
•
Policy Configuration and Management, page 18-5
Initial Configuration
For initial configuration, you must use the CLI on the ASA CX module to run the setup command and
configure other optional settings.
To access the CLI, you can use the following methods:
•
ASA 5585-X:
– ASA CX console port—The ASA CX console port is a separate external console port.
– ASA CX Management 1/0 interface using SSH—You can connect to the default IP address
(192.168.8.8), or you can use ASDM to change the management IP address and then connect
using SSH. The ASA CX management interface is a separate external Gigabit Ethernet
interface.
Note
•
You cannot access the ASA CX hardware module CLI over the ASA backplane using the
session command.
ASA 5512-X through ASA 5555-X:
– ASA session over the backplane—If you have CLI access to the ASA, then you can session to
the module and access the module CLI.
– ASA CX Management 0/0 interface using SSH—You can connect to the default IP address
(192.168.1.2), or you can use ASDM to change the management IP address and then connect
using SSH. These models run the ASA CX module as a software module. The ASA CX
management interface shares the Management 0/0 interface with the ASA. Separate MAC
addresses and IP addresses are supported for the ASA and ASA CX module. You must perform
Cisco ASA Series Firewall ASDM Configuration Guide
18-4
Chapter 18
ASA CX Module
The ASA CX Module
configuration of the ASA CX IP address within the ASA CX operating system (using the CLI
or ASDM). However, physical characteristics (such as enabling the interface) are configured on
the ASA. You can remove the ASA interface configuration (specifically the interface name) to
dedicate this interface as an ASA CX-only interface. This interface is management-only.
Policy Configuration and Management
After you perform initial configuration, configure the ASA CX policy using Cisco Prime Security
Manager (PRSM). PRSM is both the name of the ASA CX configuration interface and the name of a
separate product for configuring ASA CX devices, Cisco Prime Security Manager.
Then configure the ASA policy for sending traffic to the ASA CX module using ASDM, the ASA CLI,
or PRSM in multiple-device mode.
Authentication Proxy for Active Authentication
You can configure identity policies on the ASA CX to collect user identity information for use in access
policies. The system can collect user identity either actively (by prompting for username and password
credentials) or passively (by retrieving information collected by AD Agent or Cisco Context Directory
Agent, CDA).
If you want to use active authentication, you must configure the ASA to act as an authentication proxy.
The ASA CX module redirects authentication requests to the ASA interface IP address/proxy port. The
default port is 885, but you can configure a different port.
To enable active authentication, you enable the authentication proxy as part of the service policy that
redirects traffic to ASA CX, as explained in Create the ASA CX Service Policy, page 18-17.
Compatibility with ASA Features
The ASA includes many advanced application inspection features, including HTTP inspection.
However, the ASA CX module provides more advanced HTTP inspection than the ASA provides, as well
as additional features for other applications, including monitoring and controlling application usage.
To take full advantage of the ASA CX module features, see the following guidelines for traffic that you
send to the ASA CX module:
•
Do not configure ASA inspection on HTTP traffic.
•
Do not configure Cloud Web Security (ScanSafe) inspection. If you configure both the ASA CX
action and Cloud Web Security inspection for the same traffic, the ASA only performs the ASA CX
action.
•
Other application inspections on the ASA are compatible with the ASA CX module, including the
default inspections.
•
Do not enable the Mobile User Security (MUS) server; it is not compatible with the ASA CX
module.
•
Do not enable ASA clustering; it is not compatible with the ASA CX module.
Cisco ASA Series Firewall ASDM Configuration Guide
18-5
Chapter 18
ASA CX Module
Licensing Requirements for the ASA CX Module
Licensing Requirements for the ASA CX Module
The ASA CX module and PRSM require additional licenses, which need to be installed in the module
itself rather than in the context of the ASA. The ASA itself requires no additional licenses. See the ASA
CX documentation for more information.
Prerequisites for ASA CX
To use PRSM to configure the ASA, you need to install a certificate on the ASA for secure
communications. By default, the ASA generates a self-signed certificate. However, this certificate can
cause browser prompts asking you to verify the certificate because the publisher is unknown. To avoid
these browser prompts, you can instead install a certificate from a known certificate authority (CA). If
you request a certificate from a CA, be sure the certificate type is both a server authentication certificate
and a client authentication certificate. See the general operations configuration guide for more
information.
Guidelines for ASA CX
Context Mode Guidelines
Starting with ASA CX 9.1(3), multiple context mode is supported.
However, the ASA CX module itself (configured in PRSM) is a single context mode device; the
context-specific traffic coming from the ASA is checked against the common ASA CX policy. Therefore,
you cannot use the same IP addresses in multiple contexts; each context must include unique networks.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode. Traffic-forwarding interfaces are only supported in
transparent mode.
Failover Guidelines
Does not support failover directly; when the ASA fails over, any existing ASA CX flows are transferred
to the new ASA, but the traffic is allowed through the ASA without being inspected by the ASA CX.
Only new flows received by the new ASA are acted upon by the ASA CX module.
ASA Clustering Guidelines
Does not support clustering.
IPv6 Guidelines
•
Supports IPv6.
•
(9.1(1) and earlier) Does not support NAT 64. In 9.1(2) and later, NAT 64 is supported.
Model Guidelines
•
Supported only on the ASA 5585-X and 5512-X through ASA 5555-X. See the Cisco ASA
Compatibility Matrix for more information:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html
Cisco ASA Series Firewall ASDM Configuration Guide
18-6
Chapter 18
ASA CX Module
Guidelines for ASA CX
•
For the 5512-X through ASA 5555-X, you must install a Cisco solid state drive (SSD). For more
information, see the ASA 5500-X hardware guide.
Monitor-Only Mode Guidelines
Monitor-only mode is strictly for demonstration purposes and is not a normal operational mode for the
module.
•
You cannot configure both monitor-only mode and normal inline mode at the same time on the ASA.
Only one type of security policy is allowed. In multiple context mode, you cannot configure
monitor-only mode for some contexts, and regular inline mode for others.
•
The following features are not supported in monitor-only mode:
– Deny policies
– Active authentication
– Decryption policies
•
The ASA CX does not perform packet buffering in monitor-only mode, and events will be generated
on a best-effort basis. For example, some events, such as ones with long URLs spanning packet
boundaries, may be impacted by the lack of buffering.
•
Be sure to configure both the ASA policy and the ASA CX to have matching modes: both in
monitor-only mode, or both in normal inline mode.
Additional guidelines for traffic-forwarding interfaces:
•
The ASA must be in transparent mode.
•
You can configure up to 4 interfaces as traffic-forwarding interfaces. Other ASA interfaces can be
used as normal.
•
Traffic-forwarding interfaces must be physical interfaces, not VLANs or BVIs. The physical
interface also cannot have any VLANs associated with it.
•
Traffic-forwarding interfaces cannot be used for ASA traffic; you cannot name them or configure
them for ASA features, including failover or management-only.
•
You cannot configure both a traffic-forwarding interface and a service policy for ASA CX traffic.
Additional Guidelines and Limitations
•
See Compatibility with ASA Features, page 18-5.
•
You cannot change the software type installed on the hardware module; if you purchase an ASA CX
module, you cannot later install other software on it.
Cisco ASA Series Firewall ASDM Configuration Guide
18-7
Chapter 18
ASA CX Module
Defaults for ASA CX
Defaults for ASA CX
The following table lists the default settings for the ASA CX module.
Table 18-1
Default Network Parameters
Parameters
Default
Management IP address
ASA 5585-X: Management 1/0 192.168.8.8/24
ASA 5512-X through ASA 5555-X: Management 0/0
192.168.1.2/24
Gateway
ASA 5585-X: 192.168.8.1/24
ASA 5512-X through ASA 5555-X: 192.168.1.1/24
SSH or session Username
admin
Password
Admin123
Configure the ASA CX Module
Configuring the ASA CX module is a process that includes configuration of the ASA CX security policy
on the ASA CX module and then configuration of the ASA to send traffic to the ASA CX module. To
configure the ASA CX module, perform the following steps:
Step 1
Connect the ASA CX Management Interface, page 18-9. Cable the ASA CX management interfaces and
optionally, the console interface.
Step 2
(ASA 5512-X through ASA 5555-X) Install or Reimage the Software Module, page 18-11.
Step 3
(ASA 5585-X) Change the ASA CX Management IP Address, page 18-14, if necessary. This might be
required for initial SSH access.
Step 4
Configure Basic ASA CX Settings, page 18-14. You do this on the ASA CX module.
Step 5
Configure the Security Policy on the ASA CX Module, page 18-16.
Step 6
(Optional.) Configure the Authentication Proxy Port, page 18-16
Step 7
Redirect Traffic to the ASA CX Module, page 18-16.
Cisco ASA Series Firewall ASDM Configuration Guide
18-8
Chapter 18
ASA CX Module
Configure the ASA CX Module
Connect the ASA CX Management Interface
In addition to providing management access to the ASA CX module, the ASA CX management interface
needs access to an HTTP proxy server or a DNS server and the Internet for signature updates and more.
This section describes recommended network configurations. Your network may differ.
ASA 5585-X (Hardware Module)
The ASA CX module includes a separate management and console interface from the ASA. For initial
setup, you can connect with SSH to the ASA CX Management 1/0 interface using the default IP address
(192.168.8.8/24). If you cannot use the default IP address, you can either use the console port or use
ASDM to change the management IP address so you can use SSH.
ASA 5585-X ASA CX SSP
ASA CX Management 1/0
Default IP: 192.168.8.8
0
1
SFP1
SFP0
7
6
5
4
3
2
1
0
1
MGMT
0
USB
SFP1
SFP0
7
6
5
4
3
2
1
0
1
MGMT
0
USB
R
PW
OT
BO
M
AR
AL
T
AC
VP
T
AC
VP
D1
1
0
PS
HD
1
PS
0
HD
N
PS
N
PS
D0
HD
RESET
AUX
CONSOLE
AUX
CONSOLE
0
R
PW
OT
BO
M
AR
AL
D1
D0
HD
RESET
ASA Management 0/0
Default IP: 192.168.1.1
SSP
334655
1
If you have an inside router
If you have an inside router, you can route between the management network, which can include both
the ASA Management 0/0 and ASA CX Management 1/0 interfaces, and the ASA inside network for
Internet access. Be sure to also add a route on the ASA to reach the Management network through the
inside router.
Proxy or DNS Server (for example)
ASA gateway for Management
ASA
Router
Outside
Inside
ASA CX Default
Gateway
Internet
CX
Management
ASA Management 0/0
Management PC
334657
ASA CX Management 1/0
Cisco ASA Series Firewall ASDM Configuration Guide
18-9
Chapter 18
ASA CX Module
Configure the ASA CX Module
If you do not have an inside router
If you have only one inside network, then you cannot also have a separate management network, which
would require an inside router to route between the networks. In this case, you can manage the ASA from
the inside interface instead of the Management 0/0 interface. Because the ASA CX module is a separate
device from the ASA, you can configure the ASA CX Management 1/0 address to be on the same
network as the inside interface.
ASA CX Default Gateway
Management PC
Layer 2
Switch
ASA
Outside
Inside
Internet
ASA CX Management 1/0
Proxy or DNS Server
ASA Management 0/0 not used
(for example)
334659
CX
ASA 5512-X through ASA 5555-X (Software Module)
These models run the ASA CX module as a software module, and the ASA CX management interface
shares the Management 0/0 interface with the ASA. For initial setup, you can connect with SSH to the
ASA CX default IP address (192.168.1.2/24). If you cannot use the default IP address, you can either
session to the ASA CX over the backplane or use ASDM to change the management IP address so you
can use SSH.
ASA CX Management 0/0
Default IP: 192.168.1.2
ASA Management 0/0
Default IP: 192.168.1.1
334664
ASA 5545-X
Cisco ASA Series Firewall ASDM Configuration Guide
18-10
Chapter 18
ASA CX Module
Configure the ASA CX Module
If you have an inside router
If you have an inside router, you can route between the Management 0/0 network, which includes both
the ASA and ASA CX management IP addresses, and the inside network for Internet access. Be sure to
also add a route on the ASA to reach the Management network through the inside router.
Proxy or DNS Server (for example)
ASA gateway for Management
ASA
Router
Outside
Inside
ASA CX Default
Gateway
Internet
CX
Management
334666
Management 0/0
Management PC
If you do not have an inside router
If you have only one inside network, then you cannot also have a separate management network. In this
case, you can manage the ASA from the inside interface instead of the Management 0/0 interface. If you
remove the ASA-configured name from the Management 0/0 interface, you can still configure the ASA
CX IP address for that interface. Because the ASA CX module is essentially a separate device from the
ASA, you can configure the ASA CX management address to be on the same network as the inside
interface.
ASA CX Default Gateway
Management PC
Layer 2
Switch
ASA
Outside
Inside
Internet
Proxy or DNS Server
(for example)
Note
Management 0/0
(ASA CX only)
334668
CX
You must remove the ASA-configured name for Management 0/0; if it is configured on the ASA, then
the ASA CX address must be on the same network as the ASA, and that excludes any networks already
configured on other ASA interfaces. If the name is not configured, then the ASA CX address can be on
any network, for example, the ASA inside network.
(ASA 5512-X through ASA 5555-X) Install or Reimage the Software Module
If you purchase the ASA with the ASA CX module, the module software and required solid state drives
(SSDs) come pre-installed and ready to go. If you want to add the ASA CX to an existing ASA, or need
to replace the SSD, you need to install the ASA CX boot software and partition the SSD according to
this procedure. To physically install the SSD, see the ASA hardware guide.
Cisco ASA Series Firewall ASDM Configuration Guide
18-11
Chapter 18
ASA CX Module
Configure the ASA CX Module
Reimaging the module is the same procedure, except you should first uninstall the ASA CX module. You
would reimage a system if you replace an SSD.
Note
For the ASA 5585-X hardware module, you must install or upgrade your image from within the ASA
CX module. See the ASA CX module documentation for more information.
Before You Begin
•
The free space on flash (disk0) should be at least 3GB plus the size of the boot software.
•
In multiple context mode, perform this procedure in the system execution space.
•
You must shut down any other software module that you might be running; the device can run a
single software module at a time. You must do this from the ASA CLI. For example, the following
commands shut down and uninstall the IPS software module, and then reload the ASA.
hostname# sw-module module ips shutdown
hostname# sw-module module ips uninstall
hostname# reload
Note
If you have an active service policy redirecting traffic to an IPS module, you must remove
that policy. For example, if the policy is a global one, you would use no service-policy
ips_policy global. You can remove the policies using CLI or ASDM.
•
When reimaging the module, use the same shutdown and uninstall commands to remove the old
image. For example, sw-module module cxsc uninstall.
•
Obtain both the ASA CX Boot Image and System Software packages from Cisco.com:
http://software.cisco.com/download/type.html?mdfid=284325223&flowid=34503.
Procedure
Step 1
Download the boot image to the device. Do not transfer the system software; it is downloaded later to
the SSD. You have the following options:
•
ASDM—First, download the boot image to your workstation, or place it on an FTP, TFTP, HTTP,
HTTPS, SMB, or SCP server. Then, in ASDM, choose Tools > File Management, and then choose
the appropriate File Transfer command, either Between Local PC and Flash or Between Remote
Server and Flash. Transfer the boot software to disk0 on the ASA.
•
ASA CLI—First, place the boot image on a TFTP, FTP, HTTP, or HTTPS server, then use the copy
command to download it to flash. The following example uses TFTP; replace <TFTP Server> with
your server’s IP address or host name.
ciscoasa# copy tftp://<TFTP SERVER>/asacx-5500x-boot-9.3.1.1-112.img
disk0:/asacx-5500x-boot-9.3.1.1-112.img
Step 2
Download the ASA CX system software from Cisco.com to an HTTP, HTTPS, or FTP server accessible
from the ASA CX management interface.
Step 3
Set the ASA CX module boot image location in ASA disk0 by entering the following command:
hostname# sw-module module cxsc recover configure image disk0:file_path
Cisco ASA Series Firewall ASDM Configuration Guide
18-12
Chapter 18
ASA CX Module
Configure the ASA CX Module
Note
If you get a message like “ERROR: Another service (ips) is running, only one service is allowed
to run at any time,” it means that you already have a different software module configured. You
must shut it down and remove it to install a new module as described in the prerequisites section
above.
Example:
hostname# sw-module module cxsc recover configure image
disk0:asacx-5500x-boot-9.3.1.1-112.img
Step 4
Load the ASA CX boot image by entering the following command:
hostname# sw-module module cxsc recover boot
Step 5
Wait approximately 5 minutes for the ASA CX module to boot up, and then open a console session to
the now-running ASA CX boot image. The default username is admin and the default password is
Admin123.
hostname# session cxsc console
Establishing console session with slot 1
Opening console session with module cxsc.
Connected to module cxsc. Escape character sequence is 'CTRL-SHIFT-6 then x'.
cxsc login: admin
Password: Admin123
Tip
Step 6
If the module boot has not competed, the session command will fail with a message about not
being able to connect over ttyS1. Wait and try again.
Partition the SSD:
asacx-boot> partition
....
Partition Successfully Completed
Step 7
Perform the basic network setup using the setup command according to Configure Basic ASA CX
Settings, page 18-14 (do not exit the ASA CX CLI), and then return to this procedure to install the
software image.
Step 8
Install the System Software image using the system install command:
system install [noconfirm] url
Include the noconfirm option if you do not want to respond to confirmation messages. Use an HTTP,
HTTPS, or FTP URL; if a username and password are required, you will be prompted to supply them.
When installation is complete, the system reboots, which closes the console session. Allow 10 or more
minutes for application component installation and for the ASA CX services to start. (The show module
cxsc output should show all processes as Up.)
The following command installs the asacx-sys-9.3.1.1-112.pkg system software.
asacx-boot> system install https://upgrades.example.com/packages/asacx-sys-9.3.1.1-112.pkg
Username: buffy
Password: angelforever
Verifying
Downloading
Extracting
Cisco ASA Series Firewall ASDM Configuration Guide
18-13
Chapter 18
ASA CX Module
Configure the ASA CX Module
Package Detail
Description:
Requires reboot:
Cisco ASA CX 9.3.1.1-112 System Install
Yes
Do you want to continue with upgrade? [n]: Y
Warning: Please do not interrupt the process or turn off the system. Doing so might leave
system in unusable state.
Upgrading
Stopping all the services ...
Starting upgrade process ...
Reboot is required to complete the upgrade. Press Enter to reboot the system.
(ASA 5585-X) Change the ASA CX Management IP Address
If you cannot use the default management IP address (192.168.8.8), then you can set the management IP
address from the ASA. After you set the management IP address, you can access the ASA CX module
using SSH to perform initial setup.
Note
For a software module, you can access the ASA CX CLI to perform setup by sessioning from the ASA
CLI; you can then set the ASA CX management IP address as part of setup. See Configure Basic ASA
CX Settings, page 18-14.
To change the management IP address through the ASA, do one of the following. In multiple context
mode, perform this procedure in the system execution space.
•
In the CLI, use the following command to set the ASA CX management IP address, mask, and
gateway.
session 1 do setup host ip ip_address/mask,gateway_ip
For example, session 1 do setup host ip 10.1.1.2/24,10.1.1.1.
•
(Single context mode only.) In ASDM, choose Wizards > Startup Wizard, and progress through
the wizard to the ASA CX Basic Configuration, where you can set the IP address, mask, and default
gateway. You can also set a different authentication proxy port if the default does not suit you.
Configure Basic ASA CX Settings
You must configure basic network settings and other parameters on the ASA CX module before you can
configure your security policy. The ASA CX CLI is the only method for configuring these settings.
Procedure
Step 1
Do one of the following:
•
(All models) Use SSH to connect to the ASA CX management IP address.
•
(ASA 5512-X through ASA 5555-X) Open a console session to the module from the ASA CLI. In
multiple context mode, session from the system execution space.
hostname# session cxsc console
Cisco ASA Series Firewall ASDM Configuration Guide
18-14
Chapter 18
ASA CX Module
Configure the ASA CX Module
Step 2
Log in with the username admin and the password Admin123. You will change the password as part of
this procedure.
Step 3
Enter the following command:
asacx> setup
Example:
asacx> setup
Welcome to Cisco Prime Security Manager Setup
[hit Ctrl-C to abort]
Default values are inside [ ]
You are prompted through the setup wizard. The following example shows a typical path through the
wizard; if you enter Y instead of N at a prompt, you will be able to configure some additional settings.
This example shows how to configure both IPv4 and IPv6 static addresses. You can configure IPv6
stateless auto configuration by answering N when asked if you want to configure a static IPv6 address.
Enter a hostname [asacx]: asa-cx-host
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n)[N]: N
Enter an IPv4 address [192.168.8.8]: 10.89.31.65
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 10.89.31.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: Y
Enter an IPv6 address: 2001:DB8:0:CD30::1234/64
Enter the gateway: 2001:DB8:0:CD30::1
Enter the primary DNS server IP address [ ]: 10.89.47.11
Do you want to configure Secondary DNS Server? (y/n) [N]: N
Do you want to configure Local Domain Name? (y/n) [N] Y
Enter the local domain name: example.com
Do you want to configure Search domains? (y/n) [N] Y
Enter the comma separated list for search domains: example.com
Do you want to enable the NTP service?(y/n) [N]: Y
Enter the NTP servers separated by commas: 1.ntp.example.com, 2.ntp.example.com
Step 4
After you complete the final prompt, you are presented with a summary of the settings. Look over the
summary to verify that the values are correct, and enter Y to apply your changed configuration. Enter N
to cancel your changes.
Example:
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Done.
Generating self-signed certificate, the web server will be restarted after that
...
Done.
Press ENTER to continue...
asacx>
Note
Step 5
If you change the host name, the prompt does not show the new name until you log out and log
back in.
If you do not use NTP, configure the time settings. The default time zone is the UTC time zone. Use the
show time command to see the current settings. You can use the following commands to change time
settings:
asacx> config timezone
asacx> config time
Cisco ASA Series Firewall ASDM Configuration Guide
18-15
Chapter 18
ASA CX Module
Configure the ASA CX Module
Step 6
Change the admin password by entering the following command:
asacx> config passwd
Example:
asacx> config passwd
The password must be at least 8 characters long and must contain
at least one uppercase letter (A-Z), at least one lowercase letter
(a-z) and at least one digit (0-9).
Enter password: Farscape1
Confirm password: Farscape1
SUCCESS: Password changed for user admin
Step 7
Enter the exit command to log out.
Configure the Security Policy on the ASA CX Module
You use PRSM to configure the security policy on the ASA CX module. The security policy controls the
services provided by the module. You cannot configure the policy through the ASA CX CLI, the ASA
CLI, or ASDM.
PRSM is both the name of the ASA CX configuration interface and the name of a separate product for
configuring ASA CX devices, Cisco Prime Security Manager. The method for accessing the
configuration interface, and how to use it, are the same. For details on using PRSM to configure your
ASA CX security policy, see the ASA CX/PRSM user guide or online help.
To open PRSM, use a web browser to open the following URL:
https://management_address
Where management_address is the DNS name or IP address of the ASA CX management interface or
the PRSM server. For example, https://asacx.example.com.
There is a shortcut to this address on Home > ASA CX Status; click the Connect to the ASA CX
application link to open the ASA CX or PRSM server that is managing the module.
Configure the Authentication Proxy Port
If you use active authentication in ASA CX policies, the ASA uses port 885 as the authentication proxy
port. You can configure a different port if 885 is not acceptable, but a non-default port must be higher
than 1024. For more information about the authentication proxy, see Authentication Proxy for Active
Authentication, page 18-5.
In multiple context mode, change the port within each security context.
To change the authentication proxy port, choose Configuration > Firewall > Advanced > ASA CX
Auth Proxy. You can also set the port as part of the ASDM startup wizard.
Redirect Traffic to the ASA CX Module
You can redirect traffic to the ASA CX module by creating a service policy that identifies specific traffic.
For demonstration purposes only, you can also enable monitor-only mode for the service policy, which
forwards a copy of traffic to the ASA CX module, while the original traffic remains unaffected.
Cisco ASA Series Firewall ASDM Configuration Guide
18-16
Chapter 18
ASA CX Module
Configure the ASA CX Module
Another option for demonstration purposes is to configure a traffic-forwarding interface instead of a
service policy in monitor-only mode. The traffic-forwarding interface sends all traffic directly to the
ASA CX module, bypassing the ASA.
•
Create the ASA CX Service Policy, page 18-17
•
Configure Traffic-Forwarding Interfaces (Monitor-Only Mode), page 18-18
Create the ASA CX Service Policy
You redirect traffic to the ASA CX module by creating a service policy that identifies specific traffic.
Note
ASA CX redirection is bidirectional. Thus, if you configure the service policy for one interface, and
there is a connection between hosts on that interface and an interface for which redirection is not
configured, then all traffic between these hosts is sent to the ASA CX module, including traffic
originating on the non-ASA CX interface. However, the ASA only performs the authentication proxy on
the interface to which the service policy is applied, because authentication proxy is applied only to
ingress traffic.
Before You Begin
•
If you enable the authentication proxy on the ASA using this procedure, be sure to also configure a
directory realm for authentication on the ASA CX module. See the ASA CX user guide for more
information.
•
If you have an active service policy redirecting traffic to an IPS module (that you replaced with the
ASA CX), you must remove that policy before you configure the ASA CX service policy.
•
Be sure to configure both the ASA policy and the ASA CX to have matching modes: both in
monitor-only mode, or both in normal inline mode.
•
In multiple context mode, perform this procedure within each security context.
•
When using PRSM in multiple device mode, you can configure the ASA policy for sending traffic
to the ASA CX module within PRSM, instead of using ASDM or the ASA CLI as explained below.
However, PRSM has some limitations when configuring the ASA service policy; see the ASA CX
user guide for more information.
Procedure
Step 1
Choose Configuration > Firewall > Service Policy Rules.
Step 2
Choose Add > Add Service Policy Rule. The Add Service Policy Rule Wizard - Service Policy dialog
box appears.
Step 3
Complete the Service Policy dialog box as desired. See the ASDM online help for more information
about these screens.
Step 4
Click Next. The Add Service Policy Rule Wizard - Traffic Classification Criteria dialog box appears.
Step 5
Complete the Traffic Classification Criteria dialog box as desired. See the ASDM online help for more
information about these screens.
Step 6
Click Next to show the Add Service Policy Rule Wizard - Rule Actions dialog box.
Step 7
Click the ASA CX Inspection tab.
Step 8
Check the Enable ASA CX for this traffic flow check box.
Cisco ASA Series Firewall ASDM Configuration Guide
18-17
Chapter 18
ASA CX Module
Configure the ASA CX Module
Step 9
In the If ASA CX Card Fails area, choose one of the following:
•
Permit traffic—Sets the ASA to allow all traffic through, uninspected, if the module is unavailable.
•
Close traffic—Sets the ASA to block all traffic if the module is unavailable.
Step 10
To enable the authentication proxy, which is required for active authentication, check the Enable Auth
Proxy check box. This option is not available in monitor-only mode.
Step 11
(Optional) For demonstration purposes only, check the Monitor-only check box to send a read-only
copy of traffic to the ASA CX module.
Note
Step 12
You must configure all classes and policies to be either in monitor-only mode, or in normal inline
mode; you cannot mix both modes on the same ASA.
Click Finish and then Apply.
Repeat this procedure to configure additional traffic flows as desired.
Configure Traffic-Forwarding Interfaces (Monitor-Only Mode)
For demonstration purposes only, you can configure traffic-forwarding interfaces, where all traffic is
forwarded directly to the ASA CX module. For normal ASA CX operation, see Create the ASA CX
Service Policy, page 18-17.
For more information, see Traffic-Forwarding Interface in Monitor-Only Mode, page 18-3. See also
Guidelines for ASA CX, page 18-6 for guidelines and limitations specific to traffic-forwarding
interfaces.
You can only configure this feature at the CLI. Choose Tools > Command Line Interface, then click
the Multiple Line radio button, and enter the commands. Click Send when the command block is
complete.
Before You Begin
•
Be sure to configure both the ASA policy and the ASA CX to have matching modes: both in
monitor-only.
•
In multiple context mode, perform this procedure within each security context.
Procedure
Step 1
Enter interface configuration mode for the physical interface you want to use for traffic-forwarding.
interface physical_interface
Example:
hostname(config)# interface gigabitethernet 0/5
Step 2
Remove any name configured for the interface. If this interface was used in any ASA configuration, that
configuration is removed. You cannot configure traffic-forwarding on a named interface.
no nameif
Step 3
Enable traffic-forwarding.
traffic-forward cxsc monitor-only
Cisco ASA Series Firewall ASDM Configuration Guide
18-18
Chapter 18
ASA CX Module
Managing the ASA CX Module
Step 4
Enable the interface.
no shutdown
Repeat for any additional interfaces.
Examples
The following example makes GigabitEthernet 0/5 a traffic-forwarding interface:
interface gigabitethernet 0/5
no nameif
traffic-forward cxsc monitor-only
no shutdown
Managing the ASA CX Module
This section includes procedures that help you manage the module.
•
Reset the Password, page 18-19
•
Reload or Reset the Module, page 18-20
•
Shut Down the Module, page 18-20
•
(ASA 5512-X through ASA 5555-X) Uninstall a Software Module Image, page 18-20
•
(ASA 5512-X through ASA 5555-X) Session to the Module From the ASA, page 18-21
Reset the Password
You can reset the module password to the default. For the user admin, the default password is
Admin123. After resetting the password, you should change it to a unique value using the module
application.
Resetting the module password causes the module to reboot. Services are not available while the module
is rebooting.
To reset the module password to the default, use one of the following techniques. In multiple context
mode, perform this procedure in the system execution space.
•
(CLI) Hardware module (ASA 5585-X):
hw-module module 1 password-reset
•
(CLI) Software module (ASA 5512-X through ASA 5555-X):
sw-module module cxsc password-reset
•
(ASDM) Choose Tools > ASA CX Password Reset.
Note
If you cannot connect to ASDM with the new password, restart ASDM and try to log in
again. If you defined a new password and still have an existing password in ASDM that is
different from the new password, clear the password cache by choosing File > Clear ASDM
Password Cache, then restart ASDM and try to log in again.
Cisco ASA Series Firewall ASDM Configuration Guide
18-19
Chapter 18
ASA CX Module
Managing the ASA CX Module
Reload or Reset the Module
To reload, or to reset and then reload, the module, enter one of the following commands at the ASA CLI.
In multiple context mode, perform this procedure in the system execution space.
•
Hardware module (ASA 5585-X):
hw-module module 1 {reload | reset}
•
Software module (ASA 5512-X through ASA 5555-X):
sw-module module cxsc {reload | reset}
Shut Down the Module
Shutting down the module software prepares the module to be safely powered off without losing
configuration data. To gracefully shut down the module, enter one of the following commands at the
ASA CLI. In multiple context mode, perform this procedure in the system execution space.
Note
If you reload the ASA, the module is not automatically shut down, so we recommend shutting down the
module before reloading the ASA.
•
Hardware module (ASA 5585-X):
hw-module module 1 shutdown
•
Software module (ASA 5512-X through ASA 5555-X):
sw-module module cxsc shutdown
(ASA 5512-X through ASA 5555-X) Uninstall a Software Module Image
You can uninstall a software module image and its associated configuration. In multiple context mode,
perform this procedure in the system execution space.
Procedure
Step 1
Uninstall the software module image and associated configuration.
hostname# sw-module module cxsc uninstall
Module cxsc will be uninstalled. This will completely remove the disk image
associated with the sw-module including any configuration that existed within it.
Uninstall module cxsc? [confirm]
Step 2
Reload the ASA. You must reload the ASA before you can install a new module.
hostname# reload
Cisco ASA Series Firewall ASDM Configuration Guide
18-20
Chapter 18
ASA CX Module
Monitoring the ASA CX Module
(ASA 5512-X through ASA 5555-X) Session to the Module From the ASA
Use the ASA CX CLI to configure basic network settings and to troubleshoot the module.
To access the ASA CX software module CLI from the ASA, you can session from the ASA. You can
either session to the module (using Telnet) or create a virtual console session. A console session might
be useful if the control plane is down and you cannot establish a Telnet session. In multiple context
mode, session from the system execution space.
In either a Telnet or a Console session, you are prompted for a username and password. Use the admin
username and password (default is Admin123).
•
Telnet session:
session cxsc
When in the ASA CX CLI, to exit back to the ASA CLI, use the exit command, or press
Ctrl-Shift-6, x.
•
Console session:
session cxsc console
The only way out of a console session is to press Ctrl-Shift-6, x. Logging out of the module leaves
you at the module login prompt.
Note
Do not use the session cxsc console command in conjunction with a terminal server where Ctrl-Shift-6,
x is the escape sequence to return to the terminal server prompt. Ctrl-Shift-6, x is also the sequence to
escape the ASA CX console and return to the ASA prompt. Therefore, if you try to exit the ASA CX
console in this situation, you instead exit all the way to the terminal server prompt. If you reconnect the
terminal server to the ASA, the ASA CX console session is still active; you can never exit to the ASA
prompt. You must use a direct serial connection to return the console to the ASA prompt. Use the session
cxsc command instead of the console command when facing this situation.
Monitoring the ASA CX Module
The following topics provide guidance on monitoring the module. For ASA CX-related syslog messages,
see the syslog messages guide. ASA CX syslog messages start with message number 429001.
Use Tools > Command Line Interface to use monitoring commands.
•
Showing Module Status, page 18-21
•
Showing Module Statistics, page 18-22
•
Monitoring Module Connections, page 18-22
Showing Module Status
From the Home page, you can select the ASA CX Status tab to view information about the module. This
includes module information, such as the model, serial number, and software version, and module status,
such as the application name and status, data plane status, and overall status. You can click the link to
open the application and do further analysis and module configuration.
Cisco ASA Series Firewall ASDM Configuration Guide
18-21
Chapter 18
ASA CX Module
Monitoring the ASA CX Module
Showing Module Statistics
Use the show service-policy cxsc command to display statistics and status for each service policy that
includes the cxsc command. Use clear service-policy to clear the counters.
The following is sample output from the show service-policy command showing the ASA CX policy
and the current statistics as well as the module status when the authentication proxy is disabled:
hostname# show service-policy cxsc
Global policy:
Service-policy: global_policy
Class-map: bypass
CXSC: card status Up, mode fail-open, auth-proxy disabled
packet input 2626422041, packet output 2626877967, drop 0, reset-drop 0, proxied 0
The following is sample output from the show service-policy command showing the ASA CX policy
and the current statistics as well as the module status when the authentication proxy is enabled; in this
case, the proxied counters also increment:
hostname# show service-policy cxsc
Global policy:
Service-policy: pmap
Class-map: class-default
Default Queueing
Set connection policy: random-sequence-number disable
drop 0
CXSC: card status Up, mode fail-open, auth-proxy enabled
packet input 7724, packet output 7701, drop 0, reset-drop 0, proxied 10
Monitoring Module Connections
To show connections through the ASA CX module, enter one of the following commands:
•
show asp table classify domain cxsc
Shows the NP rules created to send traffic to the ASA CX module.
•
show asp table classify domain cxsc-auth-proxy
Shows the NP rules created for the authentication proxy for the ASA CX module. In the following
is sample output, which shows one rule, the destination “port=2000” is the auth-proxy port
configured by the cxsc auth-proxy port 2000 command, and the destination “ip/id=192.168.0.100”
is the ASA interface IP address.
hostname# show asp table classify domain cxsc-auth-proxy
Input Table
in id=0x7ffed86cc470, priority=121, domain=cxsc-auth-proxy, deny=false
hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.0.100, mask=255.255.255.255, port=2000, dscp=0x0
input_ifc=inside, output_ifc=identity
•
show asp drop
Shows dropped packets. The drop types are explained below.
•
show asp event dp-cp cxsc-msg
This output shows how many ASA CX module messages are on the dp-cp queue. Only VPN queries
from the ASA CX module are sent to dp-cp.
Cisco ASA Series Firewall ASDM Configuration Guide
18-22
Chapter 18
ASA CX Module
Troubleshooting Problems with the Authentication Proxy
•
show conn
Shows if a connection is being forwarded to a module by displaying the ‘X - inspected by service
module’ flag.
The show asp drop command can include the following drop reasons related to the ASA CX module.
Frame Drops:
•
cxsc-bad-tlv-received—This occurs when ASA receives a packet from CXSC without a Policy ID
TLV. This TLV must be present in non-control packets if it does not have the Standby Active bit set
in the actions field.
•
cxsc-request—The frame was requested to be dropped by CXSC due a policy on CXSC whereby
CXSC would set the actions to Deny Source, Deny Destination, or Deny Pkt.
•
cxsc-fail-close—The packet is dropped because the card is not up and the policy configured was
‘fail-close’ (rather than ‘fail-open’ which allows packets through even if the card was down).
•
cxsc-fail—The CXSC configuration was removed for an existing flow and we are not able to process
it through CXSC; it will be dropped. This should be very unlikely.
•
cxsc-malformed-packet—The packet from CXSC contains an invalid header. For instance, the
header length may not be correct.
Flow Drops:
•
cxsc-request—The CXSC requested to terminate the flow. The actions bit 0 is set.
•
reset-by-cxsc—The CXSC requested to terminate and reset the flow. The actions bit 1 is set.
•
cxsc-fail-close—The flow was terminated because the card is down and the configured policy was
‘fail-close.’
Troubleshooting Problems with the Authentication Proxy
If you are having a problem using the authentication proxy feature, follow these steps to troubleshoot
your configuration and connections.
Note
If you have a connection between hosts on two ASA interfaces, and the ASA CX service policy is only
configured for one of the interfaces, then all traffic between these hosts is sent to the ASA CX module,
including traffic originating on the non-ASA CX interface (the feature is bidirectional). However, the
ASA only performs the authentication proxy on the interface to which the service policy is applied,
because this feature is ingress-only.
Procedure
Step 1
Step 2
Check your configurations.
•
On the ASA, check the output of the show asp table classify domain cxsc-auth-proxy command
and make sure there are rules installed and that they are correct.
•
In PRSM, ensure the directory realm is created with the correct credentials and test the connection
to make sure you can reach the authentication server; also ensure that a policy object or objects are
configured for authentication.
Check the output of the show service-policy cxsc command to see if any packets were proxied.
Cisco ASA Series Firewall ASDM Configuration Guide
18-23
Chapter 18
ASA CX Module
History for the ASA CX Module
Step 3
Perform a packet capture on the backplane (capture name interface asa_dataplane), and check to see
if traffic is being redirected on the correct configured port.You can check the configured port using the
show running-config cxsc command or the show asp table classify domain cxsc-auth-proxy
command.
Example
Make sure port 2000 is used consistently:
1.
Check the authentication proxy port:
hostname# show running-config cxsc
cxsc auth-proxy port 2000
2.
Check the authentication proxy rules:
hostname# show asp table classify domain cxsc-auth-proxy
Input Table
in id=0x7ffed86cc470, priority=121, domain=cxsc-auth-proxy, deny=false
hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.0.100, mask=255.255.255.255, port=2000, dscp=0x0
input_ifc=inside, output_ifc=identity
3.
In the packet captures, the redirect request should be going to destination port 2000.
History for the ASA CX Module
Feature Name
Platform
Releases
Description
ASA 5585-X with SSP-10 and -20 support for ASA 8.4(4.1)
The ASA CX module lets you enforce security based on the
the ASA CX SSP-10 and -20
ASA CX 9.0(1) complete context of a situation. This context includes the
identity of the user (who), the application or website that the
user is trying to access (what), the origin of the access
attempt (where), the time of the attempted access (when),
and the properties of the device used for the access (how).
With the ASA CX module, you can extract the full context
of a flow and enforce granular policies such as permitting
access to Facebook but denying access to games on
Facebook or permitting finance employees access to a
sensitive enterprise database but denying the same access to
other employees.
We introduced the following screens:
Home > ASA CX Status
Wizards > Startup Wizard > ASA CX Basic Configuration
Configuration > Firewall > Service Policy Rules > Add
Service Policy Rule > Rule Actions > ASA CX Inspection
Cisco ASA Series Firewall ASDM Configuration Guide
18-24
Chapter 18
ASA CX Module
History for the ASA CX Module
Feature Name
Platform
Releases
Description
ASA 5512-X through ASA 5555-X support for ASA 9.1(1)
We introduced support for the ASA CX SSP software
the ASA CX SSP
ASA CX 9.1(1) module for the ASA 5512-X, ASA 5515-X, ASA 5525-X,
ASA 5545-X, and ASA 5555-X.
We did not modify any screens.
Monitor-only mode for demonstration
purposes
ASA 9.1(2)
For demonstration purposes only, you can enable
ASA CX 9.1(2) monitor-only mode for the service policy, which forwards a
copy of traffic to the ASA CX module, while the original
traffic remains unaffected.
Another option for demonstration purposes is to configure a
traffic-forwarding interface instead of a service policy in
monitor-only mode. The traffic-forwarding interface sends
all traffic directly to the ASA CX module, bypassing the
ASA.
We modified the following screen: Configuration > Firewall
> Service Policy Rules > Add Service Policy Rule > Rule
Actions > ASA CX Inspection.
The traffic-forwarding feature is supported by CLI only.
NAT 64 support for the ASA CX module
ASA 9.1(2)
You can now use NAT 64 in conjunction with the ASA CX
ASA CX 9.1(2) module.
We did not modify any screens.
ASA 5585-X with SSP-40 and -60 support for ASA 9.1(3)
ASA CX SSP-40 and -60 modules can be used with the
the ASA CX SSP-40 and -60
ASA CX 9.2(1) matching level ASA 5585-X with SSP-40 and -60.
We did not modify any screens.
Multiple context mode support for the ASA
CX module
ASA 9.1(3)
You can now configure ASA CX service policies per
ASA CX 9.2(1) context on the ASA.
Note
Although you can configure per context ASA
service policies, the ASA CX module itself
(configured in PRSM) is a single context mode
device; the context-specific traffic coming from the
ASA is checked against the common ASA CX
policy.
We did not modify any screens.
Cisco ASA Series Firewall ASDM Configuration Guide
18-25
Chapter 18
ASA CX Module
History for the ASA CX Module
Feature Name
Filtering packets captured on the ASA CX
backplane
Platform
Releases
Description
ASA 9.1(3)
You can now filter packets captured on the ASA CX
ASA CX 9.2(1) backplane using the match or access-list keyword with the
capture interface asa_dataplane command.
Control traffic specific to the ASA CX module is not
affected by the access-list or match filtering; the ASA
captures all control traffic.
In multiple context mode, configure the packet capture per
context. Note that all control traffic in multiple context
mode goes only to the system execution space. Because
control traffic cannot be filtered using an access-list or
match, these options are not available in the system
execution space.
We did not modify any ASDM screens.
Cisco ASA Series Firewall ASDM Configuration Guide
18-26
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement