Solved: Cisco ASA 5500-X Series Next-Generation Firewalls

ciscotech45 · ‎01-09-2014

Hi,

I have a few questions on the new 5500-X series ASAs.

1. We are planning on using two of these in an active/standby HA pair. Now to manage these, I understand I will need the

Prime Security Manager (PRSM). Is this management utility only available on VMware or can it be there locally on both these firewalls (like the good old ASDM)? I mean, without VMware, can I still configure and manage these two ASAs via the PRSM?

2. I have been hearing that these new 5500-X series ASA's are best managed using PRSM and the management capability via the command line is rather limited. Is this accurate? I am so used to the CLI and so a bit concerned here.

Thanks!!

Collin Clark · ‎01-09-2014

You do not need PRSM to manage the ASAs. In fact PPRSM has limited configuration for the ASA. As of today you can only manage NATs and ACLs in PRSM. Management of the ASA is still done via CLI or ASDM. PRSM is highly suggested with the CX module, but even then it is not required.

View solution in original post

Collin Clark · ‎01-10-2014

To run ASDM, do I have to 'downgrade' the cx version of the software that I thought comes with the device? I guess the 'x' confuses me into thinking that it requires PRSM..

No you do not. ASDM runs on the ASA, whereas PRSM runs on the SSD drive that is in the firewall. They are completely separate from each other. X is just Cisco's new nomenclature for the next generation of hardware. If you read the release notes on the CX software you'll see that CX version x.y requires ASA code a.b so there is some correlation between the two for compatibility, but that's really about it. As of today, to manage the ASA you still use ASDM and to manage the CX you use PRSM.

Also, is there a dependency on VMware if I were to use PRSM (if the purpose is to manage just these two ASAs in an HA pair with no more addtional ASAs) or can PRSM be set up similarly to ASDM (locally on each ASA)?

You can locally manage the CX with the PRSM that is on box. The reason PRSM on VMWare is suggested is that there is limited storage on the local drive in the ASA. You really can't save enough data on the drive for reports and such. With VMWare you can of course create larger disks and store more events and reports. PRSM is not required, just suggested.

View solution in original post

Collin Clark · ‎02-13-2014

1. To setup the CX you access it form the CLI of the ASA. SSH into the CLI and type session cxsc console

You will be prompted to authenticate. The username is Admin and the password is Admin123. Once logged in it will run through a setup wizard. You can give it any IP you like (that's valid in your network). The CX uses the management interface of the ASA for physical external connectivity so you just need to make sure that the management interface on the ASA is in the correct VLAN for the IP you gave CX.

2. That is possible. If you use on-box PRSM then you manage the ASA with ASDM/CLI and CX with PRSM by default.

View solution in original post

Collin Clark · ‎01-09-2014

You do not need PRSM to manage the ASAs. In fact PPRSM has limited configuration for the ASA. As of today you can only manage NATs and ACLs in PRSM. Management of the ASA is still done via CLI or ASDM. PRSM is highly suggested with the CX module, but even then it is not required.

ciscotech45 · ‎01-09-2014

Great! Thanks for your reply.

To run ASDM, do I have to 'downgrade' the cx version of the software that I thought comes with the device? I guess the 'x' confuses me into thinking that it requires PRSM..

Also, is there a dependency on VMware if I were to use PRSM (if the purpose is to manage just these two ASAs in an HA pair with no more addtional ASAs) or can PRSM be set up similarly to ASDM (locally on each ASA)?

Thanks.

Collin Clark · ‎01-10-2014

To run ASDM, do I have to 'downgrade' the cx version of the software that I thought comes with the device? I guess the 'x' confuses me into thinking that it requires PRSM..

No you do not. ASDM runs on the ASA, whereas PRSM runs on the SSD drive that is in the firewall. They are completely separate from each other. X is just Cisco's new nomenclature for the next generation of hardware. If you read the release notes on the CX software you'll see that CX version x.y requires ASA code a.b so there is some correlation between the two for compatibility, but that's really about it. As of today, to manage the ASA you still use ASDM and to manage the CX you use PRSM.

Also, is there a dependency on VMware if I were to use PRSM (if the purpose is to manage just these two ASAs in an HA pair with no more addtional ASAs) or can PRSM be set up similarly to ASDM (locally on each ASA)?

You can locally manage the CX with the PRSM that is on box. The reason PRSM on VMWare is suggested is that there is limited storage on the local drive in the ASA. You really can't save enough data on the drive for reports and such. With VMWare you can of course create larger disks and store more events and reports. PRSM is not required, just suggested.

ciscotech45 · ‎01-10-2014

Thanks again for your reply!

I am told the next generation ASA that we are getting comes with the CX version of the software and the also the regular ASA software. So if I am to use only the ASDM and CLI to manage the ASA, does that mean I won't be able to use the CX software at all? I mean, will I be missing out on the so called next generation features by not using the CX software?

thank you.

Collin Clark · ‎01-10-2014

Think of CX as a module that goes in the ASA. In fact there is a CX module that will soon go into routers. The regular ASA software (CLI and ASDM) controls just the firewall and none of the CX module. PRSM controls the CX application. They are mutually exclusive of each other.

The ASA will come with the typical software you're used to seeing, something like 9.1.2. This is managed just like other ASA's, with the CLI and ASDM.

The CX module comes with it's own software, something like asacx-sys-9.2.1.2-50.pkg. It is managed by either the PRSM that is local to the CX module or the PRSM virtual machine.

How they interact is we configure the ASA to send specific traffic over to the CX module for policy filtering. Here's an example

https://supportforums.cisco.com/people/Collin_Clark/blog/2013/09/26/what-traffic-to-filter-in-cx

Does that make sense? Two different products, each managed by their own software. They just happen to be in one physical device.

ciscotech45 · ‎01-14-2014

Does makes sense, thanks for the explanation. I can't seem to access the link you pasted, says something like I am not allowed to view that or something to that effect.

Do all traffic get sent over to the CX module by default or is it only those traffic that I specify? I am wondering how tightly integrated these two (the regular ASA software and the CX module) are and if I can have the CX module not do anything to the traffic other than just passing it through?

Also, I hear that I can use a web browser to connect to these devices which will allow me to manage the CX part of it without having to install or use PRSM. Is this accurate?

Thanks very much.

Collin Clark · ‎01-14-2014

You specifiy what traffic gets sent to the CX (see attached). We like to do try-n-buy with our customers so we'll go in and install the CX into their network but put it in 'monitor-mode'. It sees all the traffic and you can report on it, but it does not apply any policy to it.

PRSM, both on box and on the VM, utilize a web interface. If you like I can do a Webex with you and show you the interface.

ciscotech45 · ‎01-22-2014

In the PDF link, you have specified what traffic gets sent over to the CX module. If I don't specify this, by default does all traffic get sent over to the CX module (following the regular firewall inspection process)? And if it does, what action (again, by default) would the CX module take on these traffic?

Thank you !

Collin Clark · ‎01-22-2014

By default no traffic is sent to the CX. You have to configure the ASA like in the PDF or you can do it through PRSM. I'll provide a screenshot when my upgrade is done.

ciscotech45 · ‎02-13-2014

okay, I finally have the ASA X and have set it up using just the CLI and ASDM without even touching the CX module. All's well But now, I want to check out the CX module, a few questions in that regard:

1. How do I begin accessing the CX module initially? Does it have to be via a separate IP address different from the interface IP address I currently use to manage the ASA? and how do I configure what IP address to use?

2.Moving forward, I intend to continue managing the ASA using the CLI and ASDM, and use the PRSM local to the box to manage the CX module. Is this possible or is there anything like once I set up the CX aspects using PRSM I have no choice but to manage everything using PRSM only?

Thank you.

Collin Clark · ‎02-13-2014

1. To setup the CX you access it form the CLI of the ASA. SSH into the CLI and type session cxsc console

You will be prompted to authenticate. The username is Admin and the password is Admin123. Once logged in it will run through a setup wizard. You can give it any IP you like (that's valid in your network). The CX uses the management interface of the ASA for physical external connectivity so you just need to make sure that the management interface on the ASA is in the correct VLAN for the IP you gave CX.

2. That is possible. If you use on-box PRSM then you manage the ASA with ASDM/CLI and CX with PRSM by default.

ciscotech45 · ‎02-13-2014

Okay great. Thanks yet again.

I am normally not in the habit of using the management interfaces of the ASA. But if I understand this right, for managing CX (via ssh, https) I can only use the management interface IP and not any other interface IP, correct? Also, the CX uses the management interface only for management purposes and not for traffic inspection or anything else, is that correct?

The IP address that I assign to this management interface for the CX management, can it be from the same subnet as one of the other interfaces? I guess not...

Is there anything else I need to possibly watch out for when I am enabling this CX module? I have the ASAs as an active/standby pair, with quite a few subinterfaces/VLANs defined. These are not in production yet, but will soon be.There are ipsec site to site VPN tunnels also that terminate on them. So while my purpose now is to see what the CX module is capable of doing, I would like to try and avoid breaking anything that's already setup and working.

Thanks!.

Collin Clark · ‎02-13-2014

The management interface in the ASA does not get assigned an IP address. Think of that interface as a passthru to the CX module. The IP you give CX is the only IP you can use to manage the CX. In ASDM you can see the status of CX, but that is it. You could give the CX an IP address in the same subnet as the ASA, the inside interface for example. The interface for CX is strictly for management. Traffic from the ASA to CX for inspection happens on the backplane. The CX is a separate device as far as the ASA is concerned, so messing with the CX should not cause any problems. You will want to be careful once you create the policy to start sending traffic to CX (if it's already in production by then).

ciscotech45 · ‎02-15-2014

thanks. So when I assign an IP to the management interface to manage the CX, do I have to specify an IP for the standby ASA's management interface as well? I have the ASAs in an active/standby config now.

Also, how is the CX module's status evaluated for a possible failover? I mean, is it as simple as checking for a functional link in both the ASA's management interfaces? As far as possible I don't want the CX module's status come into play during a failover decision (at least not until I have decided whether or not to use the CX modulel).

Thank you.