ASA 5512-x CX module configuration

ropeadope · ‎04-15-2013

Hello,

I'm currently in the process of setting up a new 5512-x to get it running with the context-aware module. I have read the documentation at:

http://www.cisco.com/en/US/docs/security/asa/quick_start/cx/cx_qsg.html

But still have some questions about how exactly how to appropriately set up a management IP for the service. Currently the only way I can access the CX module is if I use the management interface as the default gateway and put the cx module on an IP in the same subnet (192.168.1.x) and use the management interface IP 192.168.1.1 as the default gateway.

The problem with this (I'm guessing) is that when I log into the module via PRSM and look at events, the first thing I notice is that it's failing to go out to the internet and pick updates (update failed). I suspect this is because the Management interface is set to for management-only traffic and thus won't let the ASA cx connect out to the internet for updates, or web reputation, etc. So I tried to remote the management-only option and get an error message that this isn't possible on this platform.

So my question is, how is the ASA cx module supposed to be configured from a routing standpoint? I read the document about whether or not you have a router on the LAN or not. I do have a layer-3 switch behind it, so I would like to be able to reach it from the LAN.

My inside interface is:

10.254.254.17/29

I tried using 10.254.254.19/29 as the module's ip and using 10.254.254.17 as the default gateway but am unable to reach it from the inside LAN.

Any ideas what I'm doing wrong here? Basically, I can't get the module to go out to the internet when the IP is on the Mangement subnet (192.168.1.x) and can't even reach it at all when I place it on the internal LAN subnet 10.254.254.16/29.

Any help or an example is greatly appreciated.

cesarsoto · ‎07-01-2013

Hi Brian,

You could solve this problem?

Same thing happening to me you mentioned, I have the scenario where I have not the ASA router is directly connected to the Internet. And I am using the ASA CX module in the same subnet as my LAN, and I have connected to the LAN connectivity to the module, but since I can not reach the ASA CX module.

Any idea why this happens?

benbollinger · ‎07-22-2013

I'm looking for this information as well. Can the 5512 be managed from an IP on the inside interface instead of the management interface?

I have my inside IP set at 192.168.254.1/29

and the CX interface set as 192.168.254.6/29

but I can't get to it from that network.

Any suggestions?

Garbosh · ‎02-21-2017

benbollinger@ho.

actually this is exactly my problem now

I have my inside IP set at 192.168.X.X/24

and the CX interface set as 192.168.X.X/24

but the CX module cannot reach any network,,, did you manage to solve this problem?

cesarsoto · ‎07-22-2013

Hi

My problem was the native VLAN on the switch that connects to the inside interface of the ASA. The handle does not understand native VLAN. Change in the Uplink Native Vlan Trunk and I could manage the ASA from the inside network.

I hope it works for you.

Regards,

benbollinger · ‎07-22-2013

I'm not sure I know what you mean. I can already manage the asa from the inside, just not the software CX module. Can you clarify?

Marvin Rhoads · ‎07-22-2013

The CX needs to use (one of) the ASA's physical management interface(s). You may or may not also use that interface for ASA management.

This is explained in some detail here.

jorge-mora · ‎10-21-2013

I was facing a similar problem. I was only using the man0/0 interface to give the CX module network connectivity, but as soon as I enabled another firewall interface on the same subnet, I had connectivity problems with this interface sharing the same subnet as the CX module.

To make myself clear:

ASA CX Interface mgmt0/0: Vlan 12 - Access to the mgmt interface of CX module working OK

ASA Interface G0/2: Vlan 12 - 1 Ping worked OK to hosts on same subnet, after that, no connectivity in this interface

What I tried is, instead of having interface g0/2 configured in access mode, to create a port-channel interface between the ASA and the Access switch, and in this port-channel, I enabled a subinterface mapped to vlan 12.

The CX Interface (mgmt 0/0) was left with the same configuration, in access mode in vlan 12.

Doing this, I was able to have connectivity in both interfaces with IP addressing of the same subnet.

I hope this is helpful to others having this issue.

Here's my interface config:

!

interface GigabitEthernet0/0

description Outside

nameif outside

security-level 0

ip address dhcp setroute

!

interface GigabitEthernet0/1

channel-group 1 mode on

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

channel-group 1 mode on

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

no nameif

no security-level

no ip address

!

interface Port-channel1

no nameif

no security-level

no ip address

!

interface Port-channel1.12

vlan 12

nameif services

security-level 60

ip address 192.168.12.8 255.255.255.0

!

interface Port-channel1.222

vlan 222

nameif inside

security-level 100

ip address 192.168.222.1 255.255.255.0

!

----

tiago_pisco · ‎01-23-2014

I also have the same issue as Brian Larter; i m not able to figure out how to correctly perform the configuration displayed at:

http://www.cisco.com/en/US/docs/security/asa/quick_start/cx/cx_qsg.html (ASA 5512-X with router inside).
If someone already did it, it would be nice to hear some tips.
Best Regards
Pisco

Tanamed Sidthawonsri · ‎02-16-2014

Hi all,

After 30 min. i find out that to transfer file from your PC to ASA-CX. you need to transfer via ASA's M0/0.

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/cx/cx_qsg.html#wp51248

Mizanul Islam · ‎02-16-2014

Hi All,

Few days ago i had configure ASA CX and its working fine. Please share your exprience and what you want actually.

Regards

Parosh