topic So you've run through the in Network Security

ASA-CX management

battanc — Fri, 21 Feb 2020 13:13:48 GMT

I have a cluster of ASA 5515-X with CX, AVC and WEB Security.

A couple of questions:

1. how can I install the licenses, or: where can I do "Upload License File"

2. to manage CX and WEB/security, do I need PRSM ?

if YES, is PRSM a separate license that I can buy ?

if NO, how can I access to the CX and WEB/security console ?

Thank's

Claudio

To manage the NGFW services

Marvin Rhoads — Thu, 03 Jul 2014 19:26:30 GMT

To manage the NGFW services on the CX module (AVC, WSE and optionally IPS) you use the PRSM software. It comes in two "flavors":

1 - "on-box" or single device mode. This is the built-in PRSM that is included at no cost with every CX.

2 - "off-box" or multiple device mode. This is a licensed paid product that is delivered as a VM (ova file) that you need to install on a WMware ESX server that you provide. It is licensed per number of managed CX modules (an HA pair counts as one managed device). This mode allows you to create and manage common objects and policies across many CX instances, look at enterprise-wide events, etc. using a single management interface.

The license file is uploaded via PRSM in either mode. There is a console interface that has some very rudimentary features (initial setup, pull tech-support files, etc.). 99% of what you do with CX is via PRSM.

Thank's Marvin.Let me stay on

battanc — Fri, 04 Jul 2014 06:32:04 GMT

Thank's Marvin.

Let me stay on the first solution, which is the right one for me in this situation.
But sorry for my stupidity: I can not understand how to access.
You talk about "built-in": is it something link ASDM, already on the ASA, that downloads the software to my PC?
If so, how do I access to it ?

Thanks a lot

Claudio

Yes - that's what I mean by

Marvin Rhoads — Fri, 04 Jul 2014 15:12:06 GMT

Yes - that's what I mean by built-in. It is even more integral than ASDM in that it is not an optional way to configure the CX-based services but it is instead mandatory.

PRSM runs via a web server that is accessible via its unique CX-dedicated management IP address on the ASA once you have run through the initial setup (via ASDM or cli method) making it accessible. The steps for doing so are outlined in the CX Module Quick Start Guide.

Note the final step in that guide directs you:

This section describes how to launch PRSM to configure the ASA CX module application. For details on using PRSM to configure your ASA CX security policy, see the following ASA CX documentation roadmap:http://www.cisco.com/en/US/docs/security/asacx/roadmap/asacxprsmroadmap.html.

Note If you do not configure any policies on the ASA CX, all traffic redirected to the ASA CX will be allowed by default, and you can view the various reports in the ASA CX web interface to analyze the traffic.

You can launch PRSM from your web browser, or you can launch it from ASDM.

•Launch PRSM from a web browser by enter the following URL:

https://ASA_CX_management_IP

Where the ASA CX management IP address is the one you set in the "Configuring Basic ASA CX Settings at the ASA CX CLI" section.

•Launch PRSM from ASDM by choosing Home > ASA CX Status, and clicking the Connect to the ASA CX application link.

OK, now it's much clearer.

battanc — Mon, 07 Jul 2014 08:02:39 GMT

OK, now it's much clearer.

But a few more questions:

1. PRSM is only accessible from one interface (inside OR outside, OR ...), unlike ASDM which is available on all interfaces ?

2. I have to manage both from internal and external networks - how can I do it ?

3. from the outside, can I use the same IP of ASDM, on a different port (ASDM has already moved on port 10XXX because port 443 is used for NATting an internal host) ?

Best regards

Claudio

PRSM must be addressed

Marvin Rhoads — Mon, 07 Jul 2014 23:56:31 GMT

PRSM must be addressed ultimately via it's configured management address and on https (tcp/443).

If your firewall or some other intervening network device performs static NAT or PAT on that, it is OK as long as the packets reach PRSM via the ASA physical M0/0 interface which PRSM asserts its own configuration onto (either in addition to the ASA configuration of that interface or by itself).

Yes it is very unlike ADSM in this way as ASDM can be configured to be accessible via any reachable interface of the ASA.

I have management on a

battanc — Tue, 08 Jul 2014 13:28:07 GMT

I have management on a separate VLAN and I have configured management and CX on the same VLAN, on different IP (192.168.120.11 and .15).

Now, connected from outside via VPN (AnyConnect), I can reach the ASDM (192.168.120.11:10443) but I can't connect to PRSM (https://192.168.120.15).

What do I have wrong ?

How does your traffic flow

Marvin Rhoads — Tue, 08 Jul 2014 23:01:11 GMT

How does your traffic flow for the ASDM on the management interface?

I have seen instances where it's necessary to insert a static route for the PRSM IP since the ASA otherwise tries to connect to PRSM directly since it sees the route as needing to go via the connected /24 in stead of going into your LAN and via an internal gateway to come back to the PRSM IP address. In such a case, we would add a /32 route to PRSM and that would take precedence over the shorter prefix /24.

It works.I just add a static

battanc — Thu, 10 Jul 2014 06:38:27 GMT

It works.

I just add a static route in the INSIDE, for the <IP-PRSM> routing to the "inside default gateway".

I still can not ping, but I can manage PRSM via VPN.

Thanks a lot for the support

Claudio

Hello Caludio,I managed to

remi-reszka — Wed, 05 Nov 2014 02:56:07 GMT

Hello Caludio,

I managed to access the ASA CX management interface over VPN - both over https and icmp (ping responses). If you are interested to further resolve your issues please feel free to reply.

Regards,

Remi

hello marvin. can you help me

ciscosystemsgeorgia1 — Mon, 16 Feb 2015 16:40:59 GMT

hello marvin. can you help me?

i have a problmem about asa cx management. i can access asa management interface ip address but can not access asa cx ip which is from same subnet as asa's management ip address

So you've run through the

Marvin Rhoads — Mon, 16 Feb 2015 16:44:47 GMT

So you've run through the initial module setup and assigned the CX module's address and mask and gateway?

Can you confirm (by sessioning into the CX module from the ASA cli) that you can ping the gateway and further downstream addresses?

yes i have run initial setup

ciscosystemsgeorgia1 — Mon, 16 Feb 2015 18:06:01 GMT

yes i have run initial setup and i am pinging gateway from cx module, but i can not ping my pc. but from pc i can ping asa's management interface ip address

Have you removed the nameif

Marvin Rhoads — Mon, 16 Feb 2015 18:12:17 GMT

Have you removed the nameif from the ASA management interface (in the ASA configuration)?