Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CH A P T E R 30-1 Cisco ASA Series Firewall ASDM Configuration Guide 30 Configuring the ASA CX Module This chapter describes how to configure the ASA CX module that runs on the ASA. Information About the ASA CX Module, page 30-1 Licensing Requirements for the ASA CX Module, page 30-6 Guidelines and Limitations, page 30-6 Default Settings, page 30-8 Configuring the ASA CX Module, page 30-8 Managing the ASA CX Module, page 30-23 Monitoring the ASA CX Module, page 30-27 Troubleshooting the ASA CX Module, page 30-32 Feature History for the ASA CX Module, page 30-33 Information About the ASA CX Module The ASA CX module lets you enforce security based on the full context of a situation. This context includes the identity of the user (who), the application or website that the user is trying to access (what), the origin of the access attempt (where), the time of the attempted access (when), and the properties of the device used for the access (how). With the ASA CX module, you can extract the full context of a flow and enforce granular policies such as permitting access to Facebook but denying access to games on Facebook, or permitting finance employees access to a sensitive enterprise database but denying the same access to other employees. How the ASA CX Module Works with the ASA, page 30-2 Monitor-Only Mode, page 30-3 Information About ASA CX Management, page 30-4 Information About Authentication Proxy, page 30-5 Information About VPN and the ASA CX Module, page 30-5 Compatibility with ASA Features, page 30-5
30-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Information About the ASA CX Module How the ASA CX Module Works with the ASA The ASA CX module runs a separate application from the ASA. The ASA CX module includes external management interface(s) so you can connect to the ASA CX module directly. Any data interfaces on the ASA CX module are used for ASA traffic only. Traffic goes through the firewall checks before being forwarded to the ASA CX module. When you identify traffic for ASA CX inspection on the ASA, traffic flows through the ASA and the ASA CX module as follows: 1.Traffic enters the ASA. 2.Incoming VPN traffic is decrypted. 3.Firewall policies are applied. 4.Traffic is sent to the ASA CX module. 5.The ASA CX module applies its security policy to the traffic, and takes appropriate actions. 6.Valid traffic is sent back to the ASA; the ASA CX module might block some traffic according to its security policy, and that traffic is not passed on. 7.Outgoing VPN traffic is encrypted. 8.Traffic exits the ASA. Figure 30-1 shows the traffic flow when using the ASA CX module. In this example, the ASA CX module automatically blocks traffic that is not allowed for a certain application. All other traffic is forwarded through the ASA. Figure 30-1 ASA CX Module Traffic Flow in the ASA NoteIf you have a connection between hosts on two ASA interfaces, and the ASA CX service policy is only configured for one of the interfaces, then all traffic between these hosts is sent to the ASA CX module, including traffic originating on the non-ASA CX interface (because the feature is bidirectional). However, the ASA only performs the authentication proxy on the interface to which the service policy is applied, because authentication proxy is applied only to ingress traffic (see the “Information About Authentication Proxy” section on page 30-5). ASA Main System ASA CX Diverted Traffic ASA CX inspection VPN Decryption Firewall Policy Block inside outside 333470
30-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Information About the ASA CX Module Monitor-Only Mode For demonstration purposes, you can configure a service policy or a traffic-forwarding interface in monitor-only mode. For guidelines and limitations for monitor-only mode, see the “Guidelines and Limitations” section on page 30-6. Service Policy in Monitor-Only Mode, page 30-3 Traffic-Forwarding Interface in Monitor-Only Mode, page 30-3 Service Policy in Monitor-Only Mode For testing and demonstration purposes, you can configure the ASA to send a duplicate stream of read-only traffic to the ASA CX module, so you can see how the module inspects the traffic without affecting the ASA traffic flow. In this mode, the ASA CX module inspects the traffic as usual, makes policy decisions, and generates events. However, because the packets are read-only copies, the module actions do not affect the actual traffic. Instead, the module drops the copies after inspection. Figure 30-2 shows the ASA CX module in monitor-only mode. Figure 30-2 ASA CX Monitor-Only Mode Traffic-Forwarding Interface in Monitor-Only Mode You can alternatively configure ASA interfaces to be traffic-forwarding interfaces, where all traffic received is forwarded directly to the ASA CX module without any ASA processing. For testing and demonstration purposes, traffic-forwarding removes the extra complication of ASA processing. Traffic-forwarding is only supported in monitor-only mode, so the ASA CX module drops the traffic after inspecting it. Figure 30-3 shows the ASA GigabitEthernet 0/3 interface configured for traffic-forwarding. That interface is connected to a switch SPAN port so the ASA CX module can inspect all of the network traffic. ASA Main System inside ASA CX ASA CX inspectionoutside VPN Decryption Firewall Policy Copied Traffic 303698
30-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Information About the ASA CX Module Figure 30-3 ASA CX Traffic-Forwarding Information About ASA CX Management Initial Configuration, page 30-4 Policy Configuration and Management, page 30-5 Initial Configuration For initial configuration, you must use the CLI on the ASA CX module to run the setup command and configure other optional settings. To access the CLI, you can use the following methods: ASA 5585-X: –ASA CX console port—The ASA CX console port is a separate external console port. –ASA CX Management 1/0 interface using SSH—You can connect to the default IP address (192.168.8.8), or you can use ASDM to change the management IP address and then connect using SSH. The ASA CX management interface is a separate external Gigabit Ethernet interface. NoteYou cannot access the ASA CX hardware module CLI over the ASA backplane using the session command. ASA 5512-X through ASA 5555-X: –ASA session over the backplane—If you have CLI access to the ASA, then you can session to the module and access the module CLI. –ASA CX Management 0/0 interface using SSH—You can connect to the default IP address (192.168.1.2), or you can use ASDM to change the management IP address and then connect using SSH. These models run the ASA CX module as a software module. The ASA CX management interface shares the Management 0/0 interface with the ASA. Separate MAC addresses and IP addresses are supported for the ASA and ASA CX module. You must perform configuration of the ASA CX IPaddress within the ASA CX operating system (using the CLI Gig 0/3 Gig 0/2 SPAN Port ASA Main System ASA CX Backplane ASA CX inspection Forwarded TrafficSwitch 303699 inside outsideVPN Decryption Firewall Policy
30-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Information About the ASA CX Module or ASDM). However, physical characteristics (such as enabling the interface) are configured on the ASA. You can remove the ASA interface configuration (specifically the interface name) to dedicate this interface as an ASA CX-only interface. This interface is management-only. Policy Configuration and Management After you perform initial configuration, configure the ASA CX policy using Cisco Prime Security Manager (PRSM). Then configure the ASA policy for sending traffic to the ASA CX module using ASDM or the ASA CLI. NoteWhen using PRSM in multiple device mode, you can configure the ASA policy for sending traffic to the ASA CX module within PRSM, instead of using ASDM or the ASA CLI. Using PRSM lets you consolodate management to a single management system. However, PRSM has some limitations when configuring the ASA service policy; see the ASA CX user guide for more information. Information About Authentication Proxy When the ASA CX needs to authenticate an HTTP user (to take advantage of identity policies), you must configure the ASA to act as an authentication proxy: the ASA CX module redirects authentication requests to the ASA interface IP address/proxy port. By default, the port is 885 (user configurable). Configure this feature as part of the service policy to divert traffic from the ASA to the ASA CX module. If you do not enable the authentication proxy, only passive authentication is available. NoteIf you have a connection between hosts on two ASA interfaces, and the ASA CX service policy is only configured for one of the interfaces, then all traffic between these hosts is sent to the ASA CX module, including traffic orginiating on the non-ASA CX interface (the feature is bidirectional). However, the ASA only performs the authentication proxy on the interface to which the service policy is applied, because this feature is ingress-only. Information About VPN and the ASA CX Module The ASA includes VPN client and user authentication metadata from the Cisco AnyConnect client when forwarding traffic to the ASA CX module, which allows the ASA CX module to include this information as part of its policy lookup criteria. The VPN metadata is sent only at VPN tunnel establishment time along with a type-length-value (TLV) containing the session ID. The ASA CX module caches the VPN metadata for each session. Each tunneled connection sends the session ID so the ASA CX module can look up that session’s metadata. Compatibility with ASA Features The ASA includes many advanced application inspection features, including HTTP inspection. However, the ASA CX module provides more advanced HTTP inspection than the ASA provides, as well as additional features for other applications, including monitoring and controlling application usage. To take full advantage of the ASA CX module features, see the following guidelines for traffic that you send to the ASA CX module:
30-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Licensing Requirements for the ASA CX Module Do not configure ASA inspection on HTTP traffic. Do not configure Cloud Web Security (ScanSafe) inspection. If you configure both the ASA CX action and Cloud Web Security inspection for the same traffic, the ASA only performs the ASA CX action. Other application inspections on the ASA are compatible with the ASA CX module, including the default inspections. Do not enable the Mobile User Security (MUS) server; it is not compatible with the ASA CX module. Do not enable ASA clustering; it is not compatible with the ASA CX module. If you enable failover, when the ASA fails over, any existing ASA CX flows are transferred to the new ASA, but the traffic is allowed through the ASA without being acted upon by the ASA CX module. Only new flows recieved by the new ASA are acted upon by the ASA CX module. (9.1(1) and earlier) Does not support NAT 64. In 9.1(2) and later, NAT 64 is supported. Licensing Requirements for the ASA CX Module The ASA CX module and PRSM require additional licenses. See the ASA CX documentation for more information. Prerequisites To use PRSM to configure the ASA, you need to install a certificate on the ASA for secure communications. By default, the ASA generates a self-signed certificate. However, this certificate can cause browser prompts asking you to verify the certificate because the publisher is unknown. To avoid these browser prompts, you can instead install a certificate from a known certificate authority (CA). If you request a certificate from a CA, be sure the certificate type is both a server authentication certificate and a client authentication certificate. See the Chapter 40, “Configuring Digital Certificates,” in the general operations configuration guide for more information. Guidelines and Limitations Context Mode Guidelines (9.1(2) and earlier) Supported in single context mode only. Does not support multiple context mode. (9.1(3) and later) Supported in multiple context mode. See the following guidelines: The ASA CX module itself (configured in PRSM) is a single context mode device; the context-specific traffic coming from the ASA is checked against the common ASA CX policy. For ASA CX module support, you cannot use the same IP addresses in multiple contexts; each context must include unique networks. Model License Requirement All models Base License.
30-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Guidelines and Limitations Firewall Mode Guidelines Supported in routed and transparent firewall mode. Traffic-forwarding interfaces are only supported in transparent mode. Failover Guidelines Does not support failover directly; when the ASA fails over, any existing ASA CX flows are transferred to the new ASA, but the traffic is allowed through the ASA without being inspected by the ASA CX. ASA Clustering Guidelines Does not support clustering. IPv6 Guidelines Supports IPv6. (9.1(1) and earlier) Does not support NAT 64. In 9.1(2) and later, NAT 64 is supported. Model Guidelines Supported only on the ASA 5585-X and 5512-X through ASA 5555-X. See the Cisco ASA Compatibility Matrix for more information: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html For the 5512-X through ASA 5555-X, you must install a Cisco solid state drive (SSD). For more information, see the ASA 5500-X hardware guide. Monitor-Only Mode Guidelines You cannot configure both monitor-only mode and normal inline mode at the same time on the ASA. Only one type of security policy is allowed. In multiple context mode, you cannot configure monitor-only mode for some contexts, and regular inline mode for others. The following features are not supported in monitor-only mode: –Deny policies –Active authentication –Decryption policies The ASA CX does not perform packet buffering in monitor-only mode, and events will be generated on a best-effort basis. For example, some events, such as ones with long URLs spanning packet boundaries, may be impacted by the lack of buffering. Be sure to configure both the ASA policy and the ASA CX to have matching modes: both in monitor-only mode, or both in normal inline mode. Additional guidelines for traffic-forwarding interfaces: The ASA must be in transparent mode. You can configure up to 4 interfaces as traffic-forwarding interfaces. Other ASA interfaces can be used as normal. Traffic-forwarding interfaces must be physical interfaces, not VLANs or BVIs. The physical interface also cannot have any VLANs associated with it. Traffic-forwarding interfaces cannot be used for ASA traffic; you cannot name them or configure them for ASA features, including failover or management-only. You cannot configure both a traffic-forwarding interface and a service policy for ASA CX traffic.
30-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Default Settings Additional Guidelines and Limitations See the “Compatibility with ASA Features” section on page 30-5. You cannot change the software type installed on the hardware module; if you purchase an ASA CX module, you cannot later install other software on it. Default Settings Table 30-1 lists the default settings for the ASA CX module. Configuring the ASA CX Module This section describes how to configure the ASA CX module. Task Flow for the ASA CX Module, page 30-8 Connecting the ASA CX Management Interface, page 30-9 (ASA 5585-X) Changing the ASA CX Management IP Address, page 30-14 (ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software Module, page 30-12 Configuring Basic ASA CX Settings at the ASA CX CLI, page 30-16 Configuring the Security Policy on the ASA CX Module Using PRSM, page 30-17 Redirecting Traffic to the ASA CX Module, page 30-19 Task Flow for the ASA CX Module Configuring the ASA CX module is a process that includes configuration of the ASA CX security policy on the ASA CX module and then configuration of the ASA to send traffic to the ASA CX module. To configure the ASA CX module, perform the following steps: Step 1Cable the ASA CX management interfaces interface. See the “Connecting the ASA CX Management Interface” section on page 30-9. Step 2(ASA 5512-X through ASA 5555-X; May be required) Install the software module. See the “(ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software Module” section on page 30-12. Table 30-1 Default Network Parameters Parameters Default Management IP address ASA 5585-X: Management 1/0 192.168.8.8/24 ASA 5512-X through ASA 5555-X: Management 0/0 192.168.1.2/24 Gateway ASA 5585-X: 192.168.8.1/24 ASA 5512-X through ASA 5555-X: 192.168.1.1/24 SSH or session Username admin Password Admin123
30-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Step 3(ASA 5585-X) Configure the ASA CX module management IP address for initial SSH access. See the “(ASA 5585-X) Changing the ASA CX Management IP Address” section on page 30-14. Step 4On the ASA CX module, configure basic settings. You must use the CLI to configure these settings. See the “Configuring Basic ASA CX Settings at the ASA CX CLI” section on page 30-16. Step 5On the ASA CX module, configure the security policy using PRSM. See the “Configuring the Security Policy on the ASA CX Module Using PRSM” section on page 30-17. Step 6(Optional) On the ASA, configure the authentication proxy port. See the “(Optional) Configuring the Authentication Proxy Port” section on page 30-18. Step 7On the ASA, identify traffic to divert to the ASA CX module. See the “Redirecting Traffic to the ASA CX Module” section on page 30-19. NoteWhen using PRSM in multiple device mode, you can configure the ASA policy for sending traffic to the ASA CX module within PRSM, instead of using ASDM or the ASA CLI. However, PRSM has some limitations when configuring the ASA service policy; see the ASA CX user guide for more information. Connecting the ASA CX Management Interface In addition to providing management access to the ASA CX module, the ASA CX management interface needs access to an HTTP proxy server or a DNS server and the Internet for signature updates and more. This section describes recommended network configurations. Your network may differ. ASA 5585-X (Hardware Module) The ASA CX module includes a separate management interface from the ASA. For initial setup, you can connect with SSH to the ASA CX Management 1/0 interface using the default IP address (192.168.8.8/24). If you cannot use the default IP address, you can either use the console port or use ASDM to change the management IP address so you can use SSH. ASA 5585-X PWR BOOT ALARM ACT VPN PS1 HDD1 PS0 HDD0USBRESET 0 SFP1 SFP01 0 1 2 3 4 5 6 7 MGMT0 1 AU X C ON S OL E PWR BOOT ALARM ACT VPN PS1 HDD1 PS0 HDD0USBRESET 0 SFP1 SFP01 0 1 2 3 4 5 6 7 MGMT0 1 AU X C ON S OL E ASA Management 0/0 Default IP: 192.168.1.1 ASA CX Management 1/0 Default IP: 192.168.8.8 SSPASA CX SSP 334655
30-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module If you have an inside router If you have an inside router, you can route between the management network, which can include both the ASA Management 0/0 and ASA CX Management 1/0 interfaces, and the ASA inside network for Internet access. Be sure to also add a route on the ASA to reach the Management network through the inside router. If you do not have an inside router If you have only one inside network, then you cannot also have a separate management network, which would require an inside router to route between the networks. In this case, you can manage the ASA from the inside interface instead of the Management 0/0 interface. Because the ASA CX module is a separate device from the ASA, you can configure the ASA CX Management 1/0 address to be on the same network as the inside interface. ASA Management 0/0 Internet Management PCProxy or DNS Server (for example) RouterASA ASA CX Management 1/0Outside CXManagement Inside ASA CX Default Gateway ASA gateway for Management 334657 Internet Layer 2 Switch ASA Inside ASA CX Management 1/0 ASA Management 0/0 not usedOutside CX ASA CX Default Gateway Management PC Proxy or DNS Server (for example) 334659