Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA to CX upgrade


I have a couple of questions. I am upgrading from ASA to ASA CX. This is an existing firewall with configurations, policies, nat rules, etc.

1. When you upgrade to CX, does the firewall keep the configuration: ip address of interfaces, security levels, acls, access-groups, nats, anyconnect, etc.?

2. If you don't have the PRSM, can you manage that firewall from the PRSM web interface by https to the ip address?

3. Can you still manage the firewall from CLI and asdm or you can't do that after you upgrade to CX?

Thanks in advance.

Everyone's tags (1)
Hall of Fame Super Silver

1. Yes, the base ASA

1. Yes, the base ASA configuration is unchanged.

2. On-box PRSM (aka single device mode) manages the Next Generation Firewall (NGFW - AVC, WSE and IPS) features depending on which are licensed. You do access it via the PRSM web UI (very limited setup steps are done via sessioning into the module from the ASA cli) and you physically use the ASA management interface. (Although the PRSM interface has its own distinct IP address whether or not you have the interface configured / used in the base ASA.)

3. Yes. Think of CX like the older CSC-SSM modules running IPS or Trend Micro AV services. With CX you similarly redirect traffic from the ASA processing path using a service-policy and the CX runs it through its logic (policies, inspections, etc.) and then hands it back to the base ASA for the remaining steps of the packet flow.

Depending on how your ASA was originally purchased, you may need to purchase the SSD hardware (required for CX) in addition to the licensing you need for the NGFW features.

New Member

Thanks a bunch. The

Thanks a bunch. The documentation is very poor. Cisco needs to do a better job in documenting a new product especially if they want to beat the competition (PaloAlto).


Hall of Fame Super Silver

You're welcome.You may want

You're welcome.

You may want to take a look at CiscoLive365 sessions BRKSEC-1024 (high level comparison of IOS and ASA NGFW) and BRKSEC-2024 (deeper dive into ASA NGFW)

Please rate and mark your question as answered when it has been.

CreatePlease login to create content