Cisco ASA 5506-X Configuration Manual page 372
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
The ASA CX Module
How the ASA CX Module Works with the ASA
The ASA CX module runs a separate application from the ASA. The module can be a hardware module
(on the ASA 5585-X) or a software module (5512-X through 5555-X). As a hardware module, the device
includes separate management and console ports, and extra data interfaces that are used directly by the
ASA and not by the module itself.
You can configure your device in either a normal inline mode or in monitor-only mode for demonstration
purposes.
•
•
The following sections explain these modes in more detail.
ASA CX Normal Inline Mode
In normal inline mode, traffic goes through the firewall checks before being forwarded to the ASA CX
module. When you identify traffic for ASA CX inspection on the ASA, traffic flows through the ASA
and the ASA CX module as follows:
1.
2.
3.
4.
5.
6.
7.
8.
The following figure shows the traffic flow when using the ASA CX module. In this example, the ASA
CX module automatically blocks traffic that is not allowed for a certain application. All other traffic is
forwarded through the ASA.
Cisco ASA Series Firewall CLI Configuration Guide
17-2
In an inline deployment, the actual traffic is sent to the device, and the device's policy affects what
happens to the traffic. After dropping undesired traffic and taking any other actions applied by
policy, the traffic is returned to the ASA for further processing and ultimate transmission.
In a monitor-only deployment, a copy of the traffic is sent to the device, but it is not returned to the
ASA. Monitor-only mode lets you see what the device would have done to traffic without impacting
the network. You can configure this mode using a monitor-only service policy or a traffic forwarding
interface. For guidelines and limitations for monitor-only mode, see
page
17-6.
Traffic enters the ASA.
Incoming VPN traffic is decrypted.
Firewall policies are applied.
Traffic is sent to the ASA CX module.
The ASA CX module applies its security policy to the traffic, and takes appropriate actions.
Valid traffic is sent back to the ASA; the ASA CX module might block some traffic according to its
security policy, and that traffic is not passed on.
Outgoing VPN traffic is encrypted.
Traffic exits the ASA.
Chapter 17
ASA CX Module
Guidelines for ASA CX,
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
