Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Asdm 7 User Guide. The Cisco manuals for Computer Equipment are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 681

    Page 681 30-31 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Monitoring the ASA CX Module ciscoasa# show asp drop Frame drop: CXSC Module received packet with bad TLVs (cxsc-bad-tlv-received) 2 CXSC Module requested drop (cxsc-request) 1 CXSC card is down (cxsc-fail-close) 1 CXSC config removed for flow (cxsc-fail) 3 CXSC... 
     
30-31
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 30      Configuring the ASA CX Module
  Monitoring the ASA CX Module
ciscoasa# show asp drop
Frame drop:
  CXSC Module received packet with bad TLVs (cxsc-bad-tlv-received)           2
  CXSC Module requested drop (cxsc-request)                                    1
  CXSC card is down (cxsc-fail-close)                                          1
  CXSC config removed for flow (cxsc-fail)                                     3
  CXSC...

    Page 682

    Page 682 30-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Troubleshooting the ASA CX Module Capturing Module Traffic To configure and view packet captures for the ASA CX module, enter one of the following commands: NoteCaptured packets contain an additional AFBP header that your PCAP viewer might not understand; be sure to use the appropriate plugin to view these packets. Troubleshooting the ASA CX Module Problems with the Authentication Proxy, page... 
     
30-32
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 30      Configuring the ASA CX Module
  Troubleshooting the ASA CX Module
Capturing Module Traffic
To configure and view packet captures for the ASA CX module, enter one of the following commands:
NoteCaptured packets contain an additional AFBP header that your PCAP viewer might not understand; be 
sure to use the appropriate plugin to view these packets.
Troubleshooting the ASA CX Module
Problems with the Authentication Proxy, page...

    Page 683

    Page 683 30-33 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Feature History for the ASA CX Module ciscoasa# show running-config cxsc cxsc auth-proxy port 2000 2.Check the authentication proxy rules: ciscoasa# show asp table classify domain cxsc-auth-proxy Input Table in id=0x7ffed86cc470, priority=121, domain=cxsc-auth-proxy, deny=false hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst... 
     
30-33
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 30      Configuring the ASA CX Module
  Feature History for the ASA CX Module
ciscoasa# show running-config cxsc 
cxsc auth-proxy port 2000
2.Check the authentication proxy rules:
ciscoasa# show asp table classify domain cxsc-auth-proxy 
Input Table
in  id=0x7ffed86cc470, priority=121, domain=cxsc-auth-proxy, deny=false
hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst...

    Page 684

    Page 684 30-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Feature History for the ASA CX Module Monitor-only mode for demonstration purposesASA 9.1(2) ASA CX 9.1(2)For demonstration purposes only, you can enable monitor-only mode for the service policy, which forwards a copy of traffic to the ASA CX module, while the original traffic remains unaffected. Another option for demonstration purposes is to configure a traffic-forwarding interface instead... 
     
30-34
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 30      Configuring the ASA CX Module
  Feature History for the ASA CX Module
Monitor-only mode for demonstration 
purposesASA 9.1(2)
ASA CX 9.1(2)For demonstration purposes only, you can enable 
monitor-only mode for the service policy, which forwards a 
copy of traffic to the ASA CX module, while the original 
traffic remains unaffected.
Another option for demonstration purposes is to configure a 
traffic-forwarding interface instead...

    Page 685

    Page 685 CH A P T E R 31-1 Cisco ASA Series Firewall ASDM Configuration Guide 31 Configuring the ASA IPS Module This chapter describes how to configure the ASA IPS module. The ASA IPS module might be a hardware module or a software module, depending on your ASA model. For a list of supported ASA IPS modules per ASA model, see the Cisco ASA Compatibility Matrix: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html This chapter includes the following sections: Information About the ASA IPS... 
    CH A P T E R
 
31-1
Cisco ASA Series Firewall ASDM Configuration Guide
 
31
Configuring the ASA IPS Module
This chapter describes how to configure the ASA IPS module. The ASA IPS module might be a hardware 
module or a software module, depending on your ASA model. For a list of supported ASA IPS modules 
per ASA model, see the Cisco ASA Compatibility Matrix:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html
This chapter includes the following sections:
Information About the ASA IPS...

    Page 686

    Page 686 31-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS Module How the ASA IPS Module Works with the ASA The ASA IPS module runs a separate application from the ASA. The ASA IPS module might include an external management interface so you can connect to the ASA IPS module directly; if it does not have a management interface, you can connect to the ASA IPS module through the ASA interface. The ASA IPS SSP on the ASA... 
     
31-2
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Information About the ASA IPS Module
How the ASA IPS Module Works with the ASA
The ASA IPS module runs a separate application from the ASA. The ASA IPS module might include an 
external management interface so you can connect to the ASA IPS module directly; if it does not have a 
management interface, you can connect to the ASA IPS module through the ASA interface. The ASA 
IPS SSP on the ASA...

    Page 687

    Page 687 31-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS Module Operating Modes You can send traffic to the ASA IPS module using one of the following modes: Inline mode—This mode places the ASA IPS module directly in the traffic flow (see Figure 31-1). No traffic that you identified for IPS inspection can continue through the ASA without first passing through, and being inspected by, the ASA IPS module. This mode is the... 
     
31-3
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Information About the ASA IPS Module
Operating Modes
You can send traffic to the ASA IPS module using one of the following modes:
Inline mode—This mode places the ASA IPS module directly in the traffic flow (see Figure 31-1). 
No traffic that you identified for IPS inspection can continue through the ASA without first passing 
through, and being inspected by, the ASA IPS module. This mode is the...

    Page 688

    Page 688 31-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS Module Figure 31-3 Security Contexts and Virtual Sensors Figure 31-4 shows a single mode ASA paired with multiple virtual sensors (in inline mode); each defined traffic flow goes to a different sensor. Figure 31-4 Single Mode ASA with Multiple Virtual Sensors Information About Management Access You can manage the IPS application using the following methods:... 
     
31-4
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Information About the ASA IPS Module
Figure 31-3 Security Contexts and Virtual Sensors
Figure 31-4 shows a single mode ASA paired with multiple virtual sensors (in inline mode); each defined 
traffic flow goes to a different sensor.
Figure 31-4 Single Mode ASA with Multiple Virtual Sensors
Information About Management Access
You can manage the IPS application using the following methods:...

    Page 689

    Page 689 31-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configuring the ASA IPS Module Licensing Requirements for the ASA IPS module See the following information about the management interface: –ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X—The IPS management interface is a separate external Gigabit Ethernet interface. –ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X—These models run the ASA IPS module as a software module. The IPS management interface shares the... 
     
31-5
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Licensing Requirements for the ASA IPS module
See the following information about the management interface:
–ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X—The IPS management interface 
is a separate external Gigabit Ethernet interface.
–ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X—These models run the 
ASA IPS module as a software module. The IPS management interface shares the...

    Page 690

    Page 690 31-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 31 Configuring the ASA IPS Module Default Settings http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html The ASA 5505 does not support multiple context mode, so multiple context features, such as virtual sensors, are not supported on the AIP SSC. The ASA IPS module for the ASA 5510 and higher supports higher performance requirements, while the ASA IPS module for the ASA 5505 is designed for a small office... 
     
31-6
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 31      Configuring the ASA IPS Module
  Default Settings
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html
The ASA 5505 does not support multiple context mode, so multiple context features, such as virtual 
sensors, are not supported on the AIP SSC.
The ASA IPS module for the ASA 5510 and higher supports higher performance requirements, 
while the ASA IPS module for the ASA 5505 is designed for a small office...
    Start reading Cisco Asdm 7 User Guide
    All Cisco manuals