Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 667
30-17
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 30 Configuring the ASA CX Module
Configuring the ASA CX Module
Step 4After you complete the final prompt, you are presented with a summary of the settings. Look over the
summary to verify that the values are correct, and enter Y to apply your changed configuration. Enter N
to cancel your changes.
Example:
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Done.
Generating self-signed certificate, the...](http://img.usermanuals.tech/thumb/17/104530/w64_asdm-7-user-guide-1524000661_d-666.png "Page 667
30-17
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 30 Configuring the ASA CX Module
Configuring the ASA CX Module
Step 4After you complete the final prompt, you are presented with a summary of the settings. Look over the
summary to verify that the values are correct, and enter Y to apply your changed configuration. Enter N
to cancel your changes.
Example:
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Done.
Generating self-signed certificate, the...")
30-21 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Step 8Check the Enable ASA CX for this traffic flow check box. Step 9In the If ASA CX Card Fails area, click one of the following: Permit traffic—Sets the ASA to allow all traffic through, uninspected, if the ASA CX module is unavailable. Close traffic—Sets the ASA to block all traffic if the ASA CX module is unavailable. Step 10(Optional) To enable the authentication proxy, which is required for active authentication, check the Enable Auth Proxy check box. This option is not available in monitor-only mode. Step 11(Optional) For demonstration purposes only, check the Monitor-only check box to send a read-only copy of traffic to the ASA CX module. See the “Monitor-Only Mode” section on page 30-3 for more information. NoteYou must configure all classes and policies to be either in monitor-only mode, or in normal inline mode; you cannot mix both modes on the same ASA. Step 12Click OK and then Apply. Step 13Repeat this procedure to configure additional traffic flows as desired.
30-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode) This section configures traffic-forwarding interfaces, where all traffic is forwarded directly to the ASA CX module. This method is for demonstration purposes only. For a normal ASA CX service policy, see the “Creating the ASA CX Service Policy” section on page 30-19. For more information see the “Monitor-Only Mode” section on page 30-3. See also the “Guidelines and Limitations” section on page 30-6 for guidelines and limitations specific to traffic-forwarding interfaces. You can only configure this feature at the CLI; you can use the Command Line Interface tool. Prerequisites Be sure to configure both the ASA policy and the ASA CX to have matching modes: both in monitor-only. In multiple context mode, perform this procedure within each security context. Detailed Steps Step 1Choose Tools > Command Line Interface. Step 2Click the Multiple Line radio button. Step 3Enter the following commands: Step 4Repeat for any additional interfaces. Step 5Click Send. Command Purpose Step 1interface physical_interface Example: ciscoasa(config)# interface gigabitethernet 0/5 Enters interface configuration mode for the physical interface you want to use for traffic-forwarding. Step 2no nameif Example: ciscoasa(config-ifc)# no nameif Removes any name configured for the interface. If this interface was used in any ASA configuration, that configuration is removed. You cannot configure traffic-forwarding on a named interface. Step 3traffic-forward cxsc monitor-only Example: ciscoasa(config-ifc)# traffic-forward cxsc monitor-only Enables traffic-forwarding. You see a warning similar to the following: WARNING: This configuration is purely for demo of CX functionality and shouldnt be used on a production ASA and any issues found when mixing demo feature with production ASA is not supported. Step 4no shutdown Example: ciscoasa(config-ifc)# no shutdown Enables the interface.
30-23 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Managing the ASA CX Module Examples The following example makes GigabitEthernet 0/5 a traffic-forwarding interface: Managing the ASA CX Module This section includes procedures that help you manage the module. Resetting the Password, page 30-23 Reloading or Resetting the Module, page 30-24 Shutting Down the Module, page 30-25 (ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image, page 30-26 (ASA 5512-X through ASA 5555-X) Sessioning to the Module From the ASA, page 30-26 Resetting the Password You can reset the module password to the default. For the user admin, the default password is Admin123. After resetting the password, you should change it to a unique value using the module application. Resetting the module password causes the module to reboot. Services are not available while the module is rebooting. If you cannot connect to ASDM with the new password, restart ASDM and try to log in again. If you defined a new password and still have an existing password in ASDM that is different from the new password, clear the password cache by choosing File > Clear ASDM Password Cache, then restart ASDM and try to log in again.
30-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Managing the ASA CX Module To reset the module password to the default of Admin123, perform the following steps. Guidelines In multiple context mode, perform this procedure in the system execution space. Detailed Steps Step 1From the ASDM menu bar, choose Tools > ASA CX Password Reset. The Password Reset confirmation dialog box appears. Step 2Click OK to reset the password to the default Admin123. A dialog box displays the success or failure of the password reset. Step 3Click Close to close the dialog box. Reloading or Resetting the Module To reload or reset the module, enter one of the following commands at the ASA CLI. Guidelines In multiple context mode, perform this procedure in the system execution space.
30-25 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Managing the ASA CX Module Detailed Steps Shutting Down the Module Shutting down the module software prepares the module to be safely powered off without losing configuration data. Note: If you reload the ASA, the module is not automatically shut down, so we recommend shutting down the module before reloading the ASA. To gracefully shut down the module, perform the following steps at the ASA CLI. Guidelines In multiple context mode, perform this procedure in the system execution space. Detailed Steps Command Purpose For a hardware module (ASA 5585-X): hw-module module 1 reload For a software module (ASA 5512-X through ASA 5555-X): sw-module module cxsc reload Example: ciscoasa# hw-module module 1 reload Reloads the module software. For a hardware module: hw-module module 1 reset For a software module: sw-module module cxsc reset Example: ciscoasa# hw-module module 1 reset Performs a reset, and then reloads the module. Command Purpose For a hardware module (ASA 5585-X): hw-module module 1 shutdown For a software module (ASA 5512-X through ASA 5555-X): sw-module module cxsc shutdown Example: ciscoasa# hw-module module 1 shutdown Shuts down the module.
30-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Managing the ASA CX Module (ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image To uninstall a software module image and associated configuration, perform the following steps. Guidelines In multiple context mode, perform this procedure in the system execution space. Detailed Steps (ASA 5512-X through ASA 5555-X) Sessioning to the Module From the ASA To access the ASA CX software module CLI from the ASA, you can session from the ASA. You can either session to the module (using Telnet) or create a virtual console session. A console session might be useful if the control plane is down and you cannot establish a Telnet session. You may need to access the CLI if you are using multiple context mode and you need to set basic network settings using the CLI, or for troubleshooting. Guidelines In multiple context mode, perform this procedure in the system execution space. Command Purpose Step 1sw-module module cxsc uninstall Example: ciscoasa# sw-module module cxsc uninstall Module cxsc will be uninstalled. This will completely remove the disk image associated with the sw-module including any configuration that existed within it. Uninstall module ? [confirm] Permanently uninstalls the software module image and associated configuration. Step 2reload Example: ciscoasa# reload Reloads the ASA. You must reload the ASA before you can install a new module type.
30-27 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Monitoring the ASA CX Module Detailed Steps Monitoring the ASA CX Module Use Tools > Command Line Interface to use monitoring commands. Showing Module Status, page 30-28 Showing Module Statistics, page 30-28 Monitoring Module Connections, page 30-28 Capturing Module Traffic, page 30-32 Problems with the Authentication Proxy, page 30-32 NoteFor ASA CX-related syslog messages, see the syslog messages guide. ASA CX syslog messages start with message number 429001. Command Purpose Telnet session. session cxsc Example: ciscoasa# session cxsc Opening command session with slot 1. Connected to module cxsc. Escape character sequence is CTRL-^X. cxsc login: admin Password: Admin123 Accesses the module using Telnet. You are prompted for the username and password. The default username is admin, and the default password is Admin123. Console session. session cxsc console Example: ciscoasa# session cxsc console Establishing console session with slot 1 Opening console session with module cxsc. Connected to module cxsc. Escape character sequence is CTRL-SHIFT-6 then x. cxsc login: admin Password: Admin123 Accesses the module console. You are prompted for the username and password. The default username is admin, and the default password is Admin123. NoteDo not use this command in conjunction with a terminal server where Ctrl-Shift-6, x is the escape sequence to return to the terminal server prompt. Ctrl-Shift-6, x is also the sequence to escape the ASA CX console and return to the ASA prompt. Therefore, if you try to exit the ASA CX console in this situation, you instead exit all the way to the terminal server prompt. If you reconnect the terminal server to the ASA, the ASA CX console session is still active; you can never exit to the ASA prompt. You must use a direct serial connection to return the console to the ASA prompt. Use the session cxsc command instead.
30-28
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 30 Configuring the ASA CX Module
Monitoring the ASA CX Module
Showing Module Status
See the “ASA CX Status Tab” section on page 4-30 in the general operations configuration guide.
Showing Module Statistics
To show module statistics, enter the following command:
Examples
The following is sample output from the show service-policy command showing the ASA CX policy
and the current statistics as well as the module status when the authentication proxy is disabled:
hostname# show service-policy cxsc
Global policy:
Service-policy: global_policy
Class-map: bypass
CXSC: card status Up, mode fail-open, auth-proxy disabled
packet input 2626422041, packet output 2626877967, drop 0, reset-drop 0, proxied 0
The following is sample output from the show service-policy command showing the ASA CX policy
and the current statistics as well as the module status when the authentication proxy is enabled; in this
case, the proxied counters also increment:
hostname# show service-policy cxsc
Global policy:
Service-policy: pmap
Class-map: class-default
Default Queueing Set connection policy: random-sequence-number disable
drop 0
CXSC: card status Up, mode fail-open, auth-proxy enabled
packet input 7724, packet output 7701, drop 0, reset-drop 0, proxied 10
Monitoring Module Connections
To show connections through the ASA CX module, enter one of the following commands: Command Purpose
show service-policy cxscDisplays the ASA CX statistics and status per service policy.
Command Purpose
show asp table classify domain cxscShows the NP rules created to send traffic to the ASA CX module.
show asp table classify domain
cxsc-auth-proxyShows the NP rules created for the authentication proxy for the ASA CX
module.
30-29 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Monitoring the ASA CX Module Examples The following is sample output from the show asp table classify domain cxsc command: ciscoasa# show asp table classify domain cxsc Input Table in id=0x7ffedb4acf40, priority=50, domain=cxsc, deny=false hits=15485658, user_data=0x7ffedb4ac840, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 input_ifc=outside, output_ifc=any in id=0x7ffedb4ad4a0, priority=50, domain=cxsc, deny=false hits=992053, user_data=0x7ffedb4ac840, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 input_ifc=inside, output_ifc=any show asp drop Shows dropped packets. The following drop types are used: Frame Drops: cxsc-bad-tlv-received—This occurs when ASA receives a packet from CXSC without a Policy ID TLV. This TLV must be present in non-control packets if it does not have the Standy Active bit set in the actions field. cxsc-request—The frame was requested to be dropped by CXSC due a policy on CXSC whereby CXSC would set the actions to Deny Source, Deny Destination, or Deny Pkt. cxsc-fail-close—The packet is dropped because the card is not up and the policy configured was fail-close (rather than fail-open which allows packets through even if the card was down). cxsc-fail—The CXSC configuration was removed for an existing flow and we are not able to process it through CXSC it will be dropped. This should be very unlikely. cxsc-malformed-packet—The packet from CXSC contains an invalid header. For instance, the header length may not be correct. Flow Drops: cxsc-request—The CXSC requested to terminate the flow. The actions bit 0 is set. reset-by-cxsc—The CXSC requested to terminate and reset the flow. The actions bit 1 is set. cxsc-fail-close—The flow was terminated because the card is down and the configured policy was fail-close. show asp event dp-cp cxsc-msgThis output shows how many ASA CX module messages are on the dp-cp queue. Currently, only VPN queries from the ASA CX module are sent to dp-cp. show connThis command already shows if a connection is being forwarded to a module by displaying the ‘X - inspected by service module’ flag. Connections being forwarded to the ASA CX module will also display the ‘X’ flag. Command Purpose
30-30
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 30 Configuring the ASA CX Module
Monitoring the ASA CX Module
in id=0x7ffedb4ada00, priority=50, domain=cxsc, deny=false
hits=0, user_data=0x7ffedb4ac840, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=m, output_ifc=any
Output Table:
L2 - Output Table:
L2 - Input Table:
Last clearing of hits counters: Never
The following is sample output from the show asp table classify domain cxsc-auth-proxy command.
For the first rule in the output, the destination “port=2000” is the auth-proxy port configured by the cxsc
auth-proxy port 2000 command, and the destination “ip/id=192.168.0.100” is the ASA interface IP
address.
ciscoasa# show asp table classify domain cxsc-auth-proxy
Input Table
in id=0x7ffed86cc470, priority=121, domain=cxsc-auth-proxy, deny=false
hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.0.100, mask=255.255.255.255, port=2000, dscp=0x0
input_ifc=inside, output_ifc=identity
in id=0x7ffed86cce20, priority=121, domain=cxsc-auth-proxy, deny=false
hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=2.2.2.2, mask=255.255.255.255, port=2000, dscp=0x0
input_ifc=new2, output_ifc=identity
in id=0x7ffed86cd7d0, priority=121, domain=cxsc-auth-proxy, deny=false
hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.23.58.52, mask=255.255.255.255, port=2000, dscp=0x0
input_ifc=mgmt, output_ifc=identity
in id=0x7ffed86caa80, priority=121, domain=cxsc-auth-proxy, deny=false
hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.5.172, mask=255.255.255.255, port=2000, dscp=0x0
input_ifc=outside, output_ifc=identity
in id=0x7ffed86cb3c0, priority=121, domain=cxsc-auth-proxy, deny=false
hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6
src ip/id=::/0, port=0
dst ip/id=fe80::5675:d0ff:fe5b:1102/128, port=2000
input_ifc=outside, output_ifc=identity
in id=0x7ffed742be10, priority=121, domain=cxsc-auth-proxy, deny=false
hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6
src ip/id=::/0, port=0
dst ip/id=1:1:1:1::10/128, port=2000
input_ifc=outside, output_ifc=identity
Output Table:
L2 - Output Table:
L2 - Input Table:
Last clearing of hits counters: Never
The following is sample output from the show asp drop command. This output is just an example and
lists all the possible reasons for a dropped frame or flow from the ASA CX module: