Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
301
Views
15
Helpful
8
Replies

Help setting up Service policy for CX module

Go to solution
burleyman
Level 8
Level 8

‎10-16-2014 12:39 PM - edited ‎03-11-2019 09:56 PM

I want to setup a service policy rule to send traffic to the CX module. What would be the best setup for that? What interfaces? etc.

 

Mike

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to burleyman

‎10-17-2014 08:29 AM

The Quick Start Guide covers it briefly. The User Guide goes into more detail and includes cli steps.

Ideally you'd send all traffic - that's part of the value of AVC, giving you visibility into and control over what's going on at the application level.

No, you should not inspect http on the base ASA. Any other inspections should be OK to keep.

With a default policy set there should not be any traffic disruption. Based on what policy you may have configured, you may get the blocks, warnings, etc. the product is designed to offer.

Even so we always recommend testing in a lab environment first and introducing any such significant change as part of a coordinated and approved maintenance window so that the possibility of service-affecting outage is taken into account.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-16-2014 01:00 PM

Best practice is to redirect traffic to the CX via your global policy (class class-default).

Go to solution
burleyman
Level 8
Level 8
In response to Marvin Rhoads

‎10-17-2014 07:53 AM

Do I send all traffic through the CX or just some?

Which direction or both?

I did try to use the global policy and I had some issues with that. I will try again as maybe I missed something.

Also I need to make sure the ASA is not inspecting the HTTP traffic, correct?

Is there any other traffic that I should make sure the ASA does not inspect?

Will setting this up disrupt traffic?

Are there any step by steps for this? I could not seem to find any this about setting up the service policy specific to the traffic going to the CX module.

 

Mike

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to burleyman

‎10-17-2014 08:29 AM

The Quick Start Guide covers it briefly. The User Guide goes into more detail and includes cli steps.

Ideally you'd send all traffic - that's part of the value of AVC, giving you visibility into and control over what's going on at the application level.

No, you should not inspect http on the base ASA. Any other inspections should be OK to keep.

With a default policy set there should not be any traffic disruption. Based on what policy you may have configured, you may get the blocks, warnings, etc. the product is designed to offer.

Even so we always recommend testing in a lab environment first and introducing any such significant change as part of a coordinated and approved maintenance window so that the possibility of service-affecting outage is taken into account.

0 Helpful

Go to solution
burleyman
Level 8
Level 8
In response to Marvin Rhoads

‎10-17-2014 09:03 AM

Thank you for your help...so based on all this see if this is correct.

 

Current Config

policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp

********************************
Make these changes

policy-map global_policy
class class-default
cxsc fail-open

*****************************

Result

policy-map global_policy
 class class-default
  cxsc fail-open
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp

 

 

That's it? I actually had found that but it seemed to easy so I did not think that was it.

 

Mike

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to burleyman

‎10-17-2014 10:14 AM

Yes, that's all it takes to redirect the flows through the ASA into the CX module.

When you modify the policy-map the parser will actually put the class-default at the end of that configuration section instead of in the beginning as you showed in your reply.

Go to solution
burleyman
Level 8
Level 8
In response to Marvin Rhoads

‎10-17-2014 10:51 AM

Thanks for your help.

 

Mike

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to burleyman

‎10-17-2014 11:45 AM

You're welcome. Thanks for the ratings.

I was thinking about your question about impact. If you don't have a lab to work in ahead of time you can selectively choose to redirect only a single host or subnet to the CX module by defining it with an ACL and then trying out only that subset of your traffic in the CX policy regime.

Go to solution
burleyman
Level 8
Level 8
In response to Marvin Rhoads

‎10-17-2014 12:13 PM

Thanks for the info. I am going to do it on site early so I should be good to test and roll back as needed.

Thanks and have a great weekend.

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card