Cisco ASA 5506-X Configuration Manual page 375

Chapter 17 ASA CX Module
Policy Configuration and Management
After you perform initial configuration, configure the ASA CX policy using Cisco Prime Security
Manager (PRSM). PRSM is both the name of the ASA CX configuration interface and the name of a
separate product for configuring ASA CX devices, Cisco Prime Security Manager.
Then configure the ASA policy for sending traffic to the ASA CX module using ASDM, the ASA CLI,
or PRSM in multiple-device mode.
Authentication Proxy for Active Authentication
You can configure identity policies on the ASA CX to collect user identity information for use in access
policies. The system can collect user identity either actively (by prompting for username and password
credentials) or passively (by retrieving information collected by AD Agent or Cisco Context Directory
Agent, CDA).
If you want to use active authentication, you must configure the ASA to act as an authentication proxy.
The ASA CX module redirects authentication requests to the ASA interface IP address/proxy port. The
default port is 885, but you can configure a different port.
To enable active authentication, you enable the authentication proxy as part of the service policy that
redirects traffic to ASA CX, as explained in
Compatibility with ASA Features
The ASA includes many advanced application inspection features, including HTTP inspection.
However, the ASA CX module provides more advanced HTTP inspection than the ASA provides, as well
as additional features for other applications, including monitoring and controlling application usage.
To take full advantage of the ASA CX module features, see the following guidelines for traffic that you
send to the ASA CX module:
•
•
•
•
•
configuration of the ASA CX IP address within the ASA CX operating system (using the CLI
or ASDM). However, physical characteristics (such as enabling the interface) are configured on
the ASA. You can remove the ASA interface configuration (specifically the interface name) to
dedicate this interface as an ASA CX-only interface. This interface is management-only.
Do not configure ASA inspection on HTTP traffic.
Do not configure Cloud Web Security (ScanSafe) inspection. If you configure both the ASA CX
action and Cloud Web Security inspection for the same traffic, the ASA only performs the ASA CX
action.
Other application inspections on the ASA are compatible with the ASA CX module, including the
default inspections.
Do not enable the Mobile User Security (MUS) server; it is not compatible with the ASA CX
module.
Do not enable ASA clustering; it is not compatible with the ASA CX module.
Create the ASA CX Service Policy, page
Cisco ASA Series Firewall CLI Configuration Guide
The ASA CX Module
17-17.
17-5