Cisco Systems ASA 5540 Network Router User Manual


  Open as PDF
of 2086
 
63-3
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 63 Configuring the ASA CX Module
Information About the ASA CX Module
Policy Configuration and Management, page 63-3
Initial Configuration
For initial configuration, you must use the CLI on the ASA CX module to run the setup command and
configure other optional settings.
To access the CLI, you can use the following methods:
ASA CX console port.
ASA CX Management 1/0 interface using SSH—You can connect to the default IP address
(192.168.8.8.), or you can use ASDM to change the management IP address and then connect using
SSH.
Note You cannot access the ASA CX module CLI over the ASA backplane using the session command.
Policy Configuration and Management
After you perform initial configuration, configure the ASA CX policy using Cisco Prime Security
Manager (PRSM). Then configure the ASA policy for sending traffic to the ASA CX module using
ASDM or the ASA CLI.
Note When using PRSM in multiple device mode, you can configure the ASA policy for sending traffic to the
ASA CX module within PRSM, instead of using ASDM or the ASA CLI. Using PRSM lets you
consolodate management to a single management system. However, PRSM has some limitations when
configuring the ASA service policy; see the ASA CX user guide for more information.
Information About Authentication Proxy
When the ASA CX needs to authenticate an HTTP user (to take advantage of identity policies), you must
configure the ASA to act as an authentication proxy: the ASA CX module redirects authentication
requests to the ASA interface IP address/proxy port. By default, the port is 885 (user configurable).
Configure this feature as part of the service policy to divert traffic from the ASA to the ASA CX module.
If you do not enable the authentication proxy, only passive authentication is available.
Note If you have a connection between hosts on two ASA interfaces, and the ASA CX service policy is only
configured for one of the interfaces, then all traffic between these hosts is sent to the ASA CX module,
including traffic orginiating on the non-ASA CX interface (the feature is bidirectional). However, the
ASA only performs the authentication proxy on the interface to which the service policy is applied,
because this feature is ingress-only.