Cisco ASA 5506-X Configuration Manual page 387
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Chapter 17
ASA CX Module
Another option for demonstration purposes is to configure a traffic-forwarding interface instead of a
service policy in monitor-only mode. The traffic-forwarding interface sends all traffic directly to the
ASA CX module, bypassing the ASA.
•
•
Create the ASA CX Service Policy
You redirect traffic to the ASA CX module by creating a service policy that identifies specific traffic.
Note
ASA CX redirection is bidirectional. Thus, if you configure the service policy for one interface, and
there is a connection between hosts on that interface and an interface for which redirection is not
configured, then all traffic between these hosts is sent to the ASA CX module, including traffic
originating on the non-ASA CX interface. However, the ASA only performs the authentication proxy on
the interface to which the service policy is applied, because authentication proxy is applied only to
ingress traffic.
Before You Begin
•
•
•
•
•
Procedure
Step 1
Create an L3/L4 class map to identify the traffic that you want to send to the module.
class-map name
match parameter
Example:
hostname(config)# class-map cx_class
hostname(config-cmap)# match access-list cx_traffic
If you want to send multiple traffic classes to the module, you can create multiple class maps for use in
the security policy.
For information on matching statements, see
Add or edit a policy map that sets the actions to take with the class map traffic.
Step 2
policy-map name
Create the ASA CX Service Policy, page 17-17
Configure Traffic-Forwarding Interfaces (Monitor-Only Mode), page 17-18
If you enable the authentication proxy on the ASA using this procedure, be sure to also configure a
directory realm for authentication on the ASA CX module. See the ASA CX user guide for more
information.
If you have an active service policy redirecting traffic to an IPS module (that you replaced with the
ASA CX), you must remove that policy before you configure the ASA CX service policy.
Be sure to configure both the ASA policy and the ASA CX to have matching modes: both in
monitor-only mode, or both in normal inline mode.
In multiple context mode, perform this procedure within each security context.
When using PRSM in multiple device mode, you can configure the ASA policy for sending traffic
to the ASA CX module within PRSM, instead of using ASDM or the ASA CLI as explained below.
However, PRSM has some limitations when configuring the ASA service policy; see the ASA CX
user guide for more information.
Identify Traffic (Layer 3/4 Class Maps), page
Cisco ASA Series Firewall CLI Configuration Guide
Configure the ASA CX Module
1-13.
17-17
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
