06-03-2014 05:08 PM - edited 03-11-2019 09:17 PM
Hello,
I have a couple of questions. I am upgrading from ASA to ASA CX. This is an existing firewall with configurations, policies, nat rules, etc.
1. When you upgrade to CX, does the firewall keep the configuration: ip address of interfaces, security levels, acls, access-groups, nats, anyconnect, etc.?
2. If you don't have the PRSM, can you manage that firewall from the PRSM web interface by https to the ip address?
3. Can you still manage the firewall from CLI and asdm or you can't do that after you upgrade to CX?
Thanks in advance.
06-03-2014 07:21 PM
1. Yes, the base ASA configuration is unchanged.
2. On-box PRSM (aka single device mode) manages the Next Generation Firewall (NGFW - AVC, WSE and IPS) features depending on which are licensed. You do access it via the PRSM web UI (very limited setup steps are done via sessioning into the module from the ASA cli) and you physically use the ASA management interface. (Although the PRSM interface has its own distinct IP address whether or not you have the interface configured / used in the base ASA.)
3. Yes. Think of CX like the older CSC-SSM modules running IPS or Trend Micro AV services. With CX you similarly redirect traffic from the ASA processing path using a service-policy and the CX runs it through its logic (policies, inspections, etc.) and then hands it back to the base ASA for the remaining steps of the packet flow.
Depending on how your ASA was originally purchased, you may need to purchase the SSD hardware (required for CX) in addition to the licensing you need for the NGFW features.
06-03-2014 07:21 PM
Thanks a bunch. The documentation is very poor. Cisco needs to do a better job in documenting a new product especially if they want to beat the competition (PaloAlto).
06-03-2014 07:37 PM
You're welcome.
You may want to take a look at CiscoLive365 sessions BRKSEC-1024 (high level comparison of IOS and ASA NGFW) and BRKSEC-2024 (deeper dive into ASA NGFW)
Please rate and mark your question as answered when it has been.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: