Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 754
    Add page 661 to Favourites
    image text
    Enable zoom 
    							 
30-11
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 30      Configuring the ASA CX Module
  Configuring the ASA CX Module
ASA 5512-X through ASA 5555-X (Software Module)
These models run the ASA CX module as a software module, and the ASA CX management interface 
shares the Management 0/0 interface with the ASA.
If you have an inside router
If you have an inside router, you can route between the Management 0/0 network, which includes both 
the ASA and ASA CX management IP addresses, and the inside network for Internet access. Be sure to 
also add a route on the ASA to reach the Management network through the inside router.
If you do not have an inside router
If you have only one inside network, then you cannot also have a separate management network. In this 
case, you can manage the ASA from the inside interface instead of the Management 0/0 interface. If you 
remove the ASA-configured name from the Management 0/0 interface, you can still configure the ASA 
ASA 5545-X
ASA CX Management 0/0
Default IP: 192.168.1.2
ASA Management  0/0
Default IP: 192.168.1.1
334664
Internet
Management PCProxy or DNS Server (for example)
RouterASA
Management 0/0Outside
CXManagement
Inside
ASA CX Default
Gateway
ASA gateway for Management
334666
    Add page 662 to Favourites
    image text
    Enable zoom 
    							 
30-12
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 30      Configuring the ASA CX Module
  Configuring the ASA CX Module
CX IP address for that interface. Because the ASA CX module is essentially a separate device from the 
ASA, you can configure the ASA CX management address to be on the same network as the inside 
interface.
NoteYou must remove the ASA-configured name for Management 0/0; if it is configured on the ASA, then 
the ASA CX address must be on the same network as the ASA, and that excludes any networks already 
configured on other ASA interfaces. If the name is not configured, then the ASA CX address can be on 
any network, for example, the ASA inside network.
What to Do Next
Configure the ASA CX management IP address. See the “(ASA 5585-X) Changing the ASA CX 
Management IP Address” section on page 30-14.
(ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software 
Module
If you purchase the ASA with the ASA CX module, the module software and required solid state drive(s) 
(SSDs) come pre-installed and ready to go. If you want to add the ASA CX to an existing ASA, or need 
to replace the SSD, you need to install the ASA CX boot software and partition the SSD according to 
this procedure. To physically install the SSD, see the ASA hardware guide.
NoteFor the ASA 5585-X hardware module, you must install or upgrade your image from within the ASA 
CX module. See the ASA CX module documentation for more information.
Prerequisites
The free space on flash (disk0) should be at least 3GB plus the size of the boot software.
In multiple context mode, perform this procedure in the system execution space.
Detailed Steps
Step 1Download the ASA CX boot software from Cisco.com to your computer. If you have a Cisco.com login, 
you can obtain the boot software from the following website:
http://www.cisco.com/cisco/software/release.html?mdfid=284325223&softwareid=284399946
Internet Management PCLayer 2
Switch
ASA
Inside
Management 0/0
(ASA CX only)Outside
CX ASA CX Default Gateway
Proxy or DNS Server
(for example)
334668
    Add page 663 to Favourites
    image text
    Enable zoom 
    							 
30-13
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 30      Configuring the ASA CX Module
  Configuring the ASA CX Module
The boot software lets you set basic ASA CX network configuration, partition the SSD, and download 
the larger system software from a server of your choice to the SSD.
Step 2Download the ASA CX system software from Cisco.com to an HTTP, HTTPS, or FTP server accessible 
from the ASA CX management interface. If you have a Cisco.com login, you can obtain the boot 
software from the following website:
http://www.cisco.com/cisco/software/release.html?mdfid=284325223&softwareid=284399946
Step 3In ASDM, choose Tools > File Management, and then choose File Transfer > Between Local PC and 
Flash. Transfer the boot software to disk0 on the ASA. Do not transfer the system software; it is 
downloaded later to the SSD.
Step 4Connect to the ASA CLI, and enter privileged EXEC mode. See the “Getting Started” chapter in the 
general operations configuration guide to access the ASA CLI.
Step 5If you are replacing the IPS module with the ASA CX module, shut down and uninstall the IPS module, 
and then reload the ASA:
ciscoasa# sw-module module ips shutdown
ciscoasa# sw-module module ips uninstall
ciscoasa# reload
After the ASA reloads, reconnect to the ASA CLI.
Step 6Set the ASA CX module boot image location in ASA disk0 by entering the following command:
ciscoasa# sw-module module cxsc recover configure image disk0:file_path
Example:
ciscoasa# sw-module module cxsc recover configure image disk0:asacx-boot-9.1.1.img
Step 7Load the ASA CX boot image by entering the following command:
ciscoasa# sw-module module cxsc recover boot
Step 8Wait approximately 5 minutes for the ASA CX module to boot up, and then open a console session to 
the now-running ASA CX boot image. The default username is admin and the default password is 
Admin123.
ciscoasa# session cxsc console
Establishing console session with slot 1
Opening console session with module cxsc.
Connected to module cxsc. Escape character sequence is CTRL-SHIFT-6 then x.
cxsc login: admin
Password: Admin123
Step 9Partition the SSD:
asacx-boot> partition
....
Partition Successfully Completed
Step 10Perform the basic network setup using the setup command according to the “Configuring Basic ASA 
CX Settings at the ASA CX CLI” section on page 30-16 (do not exit the ASA CX CLI), and then return 
to this procedure to install the software image.
Step 11Install the system software from the server:
asacx-boot> system install url
Example:
The following command installs the asacx-sys-9.1.1.pkg system software.
    Add page 664 to Favourites
    image text
    Enable zoom 
    							 
30-14
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 30      Configuring the ASA CX Module
  Configuring the ASA CX Module
asacx-boot> system install https://upgrades.example.com/packages/asacx-sys-9.1.1.pkg
Username: buffy
Password: angelforever
Verifying
Downloading
Extracting
Package Detail
        Description:
        Requires reboot:
Cisco ASA CX System Upgrade
Yes
Do you want to continue with upgrade? [n]: Y
Warning: Please do not interrupt the process or turn off the system. Doing so might leave 
system in unusable state.
Upgrading
Stopping all the services ...
Starting upgrade process ...
Reboot is required to complete the upgrade. Press Enter to reboot the system.
Step 12Press Enter to reboot the ASA CX module. Rebooting the module closes the console session. Allow 10 
or more minutes for application component installation and for the ASA CX services to start.
(ASA 5585-X) Changing the ASA CX Management IP Address
If you cannot use the default management IP address (192.168.8.8), then you can set the management IP 
address from the ASA. After you set the management IP address, you can access the ASA CX module 
using SSH to perform initial setup.
NoteFor a software module, you can access the ASA CX CLI to perform setup by sessioning from the ASA 
CLI; you can then set the ASA CX management IP address as part of setup. See the “Configuring Basic 
ASA CX Settings at the ASA CX CLI” section on page 30-16.
Guidelines
In multiple context mode, perform this procedure in the system execution space.
Detailed Steps
Multiple Context Mode
Step 1In the System, choose Tools > Command Line Interface.
Step 2Enter the following command:
    Add page 665 to Favourites
    image text
    Enable zoom 
    							 
30-15
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 30      Configuring the ASA CX Module
  Configuring the ASA CX Module
Step 3Click Send.
Single Context Mode
Step 1In ASDM, choose Wizards > Startup Wizard.
Step 2Click Next to advance through the initial screens until you reach the ASA CX Basic Configuration 
screen.
Step 3Enter the new management IP address, subnet mask, and default gateway.
Step 4(Optional) Change the Auth Proxy Port. You can set this later if desired. See the “(Optional) Configuring 
the Authentication Proxy Port” section on page 30-18 for more information. Command Purpose
session 1 do setup host ip 
ip_address/mask,gateway_ip
Example:
ciscoasa# session 1 do setup host ip 
10.1.1.2/24,10.1.1.1
Sets the ASA CX management IP address, mask, and gateway.
    Add page 666 to Favourites
    image text
    Enable zoom 
    							 
30-16
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 30      Configuring the ASA CX Module
  Configuring the ASA CX Module
Step 5Click Finish to skip the remaining screens, or click Next to advance through the remaining screens and 
complete the wizard.
Configuring Basic ASA CX Settings at the ASA CX CLI
You must configure basic network settings and other parameters on the ASA CX module before you can 
configure your security policy.
Detailed Steps
Step 1Do one of the following:
(All models) Use SSH to connect to the ASA CX management IP address.
(ASA 5512-X through ASA 5555-X) Open a console session to the module from the ASA CLI (see 
the “Getting Started” chapter in the general operations configuration guide to access the ASA CLI). 
In multiple context mode, session from the system execution space.
ciscoasa# session cxsc console
Step 2Log in with the username admin and the password Admin123. You will change the password as part of 
this procedure.
Step 3Enter the following command:
asacx> setup
Example:
asacx> setup
Welcome to Cisco Prime Security Manager Setup
[hit Ctrl-C to abort]
Default values are inside [ ]
You are prompted through the setup wizard. The following example shows a typical path through the 
wizard; if you enter Y instead of N at a prompt, you will be able to configure some additional settings. 
This example shows how to configure both IPv4 and IPv6 static addresses. You can configure IPv6 
stateless auto configuration by answering N when asked if you want to configure a static IPv6 address.
Enter a hostname [asacx]: asa-cx-host
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n)[N]: N
Enter an IPv4 address [192.168.8.8]: 10.89.31.65
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 10.89.31.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: Y
Enter an IPv6 address: 2001:DB8:0:CD30::1234/64
Enter the gateway: 2001:DB8:0:CD30::1
Enter the primary DNS server IP address [ ]: 10.89.47.11
Do you want to configure Secondary DNS Server? (y/n) [N]: N
Do you want to configure Local Domain Name? (y/n) [N] Y
Enter the local domain name: example.com
Do you want to configure Search domains? (y/n) [N] Y
Enter the comma separated list for search domains: example.com
Do you want to enable the NTP service?(y/n) [N]: Y
Enter the NTP servers separated by commas: 1.ntp.example.com, 2.ntp.example.com
    Add page 667 to Favourites
    image text
    Enable zoom 
    							 
30-17
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 30      Configuring the ASA CX Module
  Configuring the ASA CX Module
Step 4After you complete the final prompt, you are presented with a summary of the settings. Look over the 
summary to verify that the values are correct, and enter Y to apply your changed configuration. Enter N 
to cancel your changes.
Example:
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Done.
Generating self-signed certificate, the web server will be restarted after that
...
Done.
Press ENTER to continue...
asacx>
NoteIf you change the host name, the prompt does not show the new name until you log out and log 
back in.
Step 5If you do not use NTP, configure the time settings. The default time zone is the UTC time zone. Use the 
show time command to see the current settings. You can use the following commands to change time 
settings:
asacx> config timezone
asacx> config time
Step 6Change the admin password by entering the following command:
asacx> config passwd
Example:
asacx> config passwd
The password must be at least 8 characters long and must contain
at least one uppercase letter (A-Z), at least one lowercase letter
(a-z) and at least one digit (0-9).
Enter password: Farscape1
Confirm password: Farscape1
SUCCESS: Password changed for user admin
Step 7Enter the exit command to log out.
Configuring the Security Policy on the ASA CX Module Using PRSM
This section describes how to launch PRSM to configure the ASA CX module application. For details 
on using PRSM to configure your ASA CX security policy, see the ASA CX user guide.
Detailed Steps
You can launch PRSM from your web browser, or you can launch it from ASDM.
Launch PRSM from a web browser by enter the following URL:
https://ASA_CX_management_IP
Where the ASA CX management IP address is the one you set in the “Configuring Basic ASA CX 
Settings at the ASA CX CLI” section on page 30-16.
    Add page 668 to Favourites
    image text
    Enable zoom 
    							 
30-18
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 30      Configuring the ASA CX Module
  Configuring the ASA CX Module
Launch PRSM from ASDM by choosing Home > ASA CX Status, and clicking the Connect to the 
ASA CX application link.
What to Do Next
(Optional) Configure the authentication proxy port. See the “(Optional) Configuring the 
Authentication Proxy Port” section on page 30-18.
Redirect traffic to the ASA CX module. See the “Redirecting Traffic to the ASA CX Module” 
section on page 30-19.
(Optional) Configuring the Authentication Proxy Port
The default authentication port is 885. To change the authentication proxy port, perform the following 
steps. For more information about the authentication proxy, see the “Information About Authentication 
Proxy” section on page 30-5.
Note(Single mode) You can also set the port as part of the ASDM startup wizard. See the “(ASA 5585-X) 
Changing the ASA CX Management IP Address” section on page 30-14.
Guidelines
In multiple context mode, perform this procedure within each security context.
Detailed Steps
Step 1In ASDM, choose Configuration > Firewall > Advanced > ASA CX Auth Proxy.
    Add page 669 to Favourites
    image text
    Enable zoom 
    							 
30-19
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 30      Configuring the ASA CX Module
  Configuring the ASA CX Module
Step 2Enter a port greater than 1024. The default is 885.
Step 3Click Apply.
Redirecting Traffic to the ASA CX Module
You can redirect traffic to the ASA CX module by creating a service policy that identifies specific traffic. 
For demonstration purposes only, you can also enable monitor-only mode for the service policy, which 
forwards a copy of traffic to the ASA CX module, while the original traffic remains unaffected.
Another option for demonstration purposes is to configure a traffic-forwarding interface instead of a 
service policy in monitor-only mode. The traffic-forwarding interface sends all traffic directly to the 
ASA CX module, bypassing the ASA.
Creating the ASA CX Service Policy, page 30-19
Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode), page 30-22
Creating the ASA CX Service Policy
This section identifies traffic to redirect from the ASA to the ASA CX module. Configure this policy on 
the ASA. If you want to use a traffic-forwarding interface for demonstration purposes, skip this 
procedure and see the “Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode)” section on 
page 30-22 instead.
NoteWhen using PRSM in multiple device mode, you can configure the ASA policy for sending traffic to the 
ASA CX module within PRSM, instead of using ASDM or the ASA CLI. However, PRSM has some 
limitations when configuring the ASA service policy; see the ASA CX user guide for more information.
Prerequisites
If you enable the authentication proxy on the ASA using this procedure, be sure to also configure a 
directory realm for authentication on the ASA CX module. See the ASA CX user guide for more 
information.
If you have an active service policy redirecting traffic to an IPS module (that you replaced with the 
ASA CX), you must remove that policy before you configure the ASA CX service policy.
Be sure to configure both the ASA policy and the ASA CX to have matching modes: both in 
monitor-only mode, or both in normal inline mode.
In multiple context mode, perform this procedure within each security context.
    Add page 670 to Favourites
    image text
    Enable zoom 
    							 
30-20
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 30      Configuring the ASA CX Module
  Configuring the ASA CX Module
Detailed Steps
Step 1Choose Configuration > Firewall > Service Policy Rules.
Step 2Choose Add > Add Service Policy Rule. The Add Service Policy Rule Wizard - Service Policy dialog 
box appears.
Step 3Complete the Service Policy dialog box as desired. See the ASDM online help for more information 
about these screens.
Step 4Click Next. The Add Service Policy Rule Wizard - Traffic Classification Criteria dialog box appears.
Step 5Complete the Traffic Classification Criteria dialog box as desired. See the ASDM online help for more 
information about these screens.
Step 6Click Next to show the Add Service Policy Rule Wizard - Rule Actions dialog box.
Step 7Click the ASA CX Inspection tab.
    All Cisco manuals Comments (0)