Yes i have setup the service policy but i cannot create policies on prsm it does not let me. I will go throught the guide sgain and let you know! From cx module should i be able to access the internet ? Because at the moment i cannot! Is that a reason why prsm does not let me configure anything or see anything in the dashboard and events tabs?

Sent from Cisco Technical Support iPhone App

If your PRSM is setup correctly then, yes, it should be able to acess the Internet. You will need to have that working and activate either your permanent or 60-day evaluation licenses for AVC and WSE. Once that is done, you should be able to configure policies and see their results in the dashboard and events tabs.

Can you please post me a working config example for cx on asa 5515x and a l3 switch with svis. The routing is working internaly but from cx and also from management vlan i cannot access the internet? From all other vlans i can access internet properly!! Is it something with the management interface or the routing on the cx module?

Sent from Cisco Technical Support iPhone App

Make sure you've setup routing on the CX module to give it the appropriate gateway on the management VLAN for routing off the management network. Also be sure that you can reach back to your management network from the inside address of the Internet gateway. If you are using the same ASA for Internet access that the CX is installed on, this can be a bit tricky. For instance, you may need to put a static route on the ASA Inside interface to reach the CX management interface /32 host address via the inside network gateway. Otherwise the ASA may see the management subnet as directly connected and try (and fail) to route via that.

There's a step-by-step guide for setup in the CX Quick Start Guide here.

It does exactly this! I have one l3 switch which has 3 vlans one of them is the management vlan. The l3 is connected with the asa inside through a routed port. The asa is the internet gateway. I have a static route on l3 0 0 that points to the asa. On the asa i have static routes that point to all the svis through the inside interface. Also i have added a route inside 192.168.1.2 (cx)/32 192.168.1.254 (l3 svi). But still my cx cannot reach the internet. I am wondering if i configure s trunk between l3 and asa - asa subinterface that will do the trick? A sample config will help me a lot! Do you want me to post you my configurations ?

Sent from Cisco Technical Support iPhone App

You need a default route configured on the CX module itself. It's done from the CLI on the CX and should end up with something like this output below, adjusted for your network numbers of course:

seclabcx>show route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.255.0.0     U     0      0        0 cplane
0.0.0.0         192.168.100.254 0.0.0.0         UG    0      0        0 eth0

The last line is the important one.....

BTW you can also do that bit on configuraiton on the ASA's ASDM Startup Wizard. Just click through the wizard until you get to the CX bit and fill in the address etc. on the CX panel when you get to it.

i have this route on cx.

I have tried anything but something seems that is not configured correctly!!

i have created subinterfaces on the asa with the manaement vlans and i have placed the asa management interface on different subnet from the cx management.

I can ping from the client vlan both the asa and cx.

But i am not sure if this the proper configuration because on the prsm i do not see any events and on the dashboard.

when i try to create a policy (network object) i get unknown error.

A sample configuration on asa and cx would be very helpful!!

hi,

first of all you test the ping global DNS IP 8.8.8.8 if ping successful then you create an object and police.

please you also check the configuration.

http://www.cisco.com/c/en/us/td/docs/security/asacx/9-1/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_1/b_User_Guide_for_ASA_CX_and_PRSM_9_1_chapter_010.html

Example:

This example shows how to update the default global policy to include redirection for all interfaces, enabling the authentication proxy and allowing traffic to pass through the ASA if the SSP fails. This command sequence leaves your other service policy rules intact, including your default inspection policies. If you want to limit the redirection to specific interfaces or traffic flows, create a new policy with class maps that define the flows to redirect (see the ASA documentation for detailed information on configuring class maps).

asa(config)# policy-map global_policy

asa(config-pmap)# class class-default

asa(config-pmap-c)# cxsc fail-open auth-proxy

asa(config-pmap-c)# exit

asa(config-pmap)# exit

asa(config)#

asa(config)# cxsc auth-proxy port 1025

asa(config)#

I have removed ma0/0 ip address and name if since i do not need a separate management network and it worked fine.

I have setup my traffic to go throuth the CX, this part is fine.

Now I have issues with prsm single mode, I am connected to cx directly from my browser and try to create a policy but there is not option to create new policy. I tried to add service object and network object but i get the attached error:prsm1.

I will send you my licenses as well: prsm-2.

How shall I proceed ?

Thanks a lot for your help...

Thank you mates for your help i will upgrade both asa and cx on Monday!

Sent from Cisco Technical Support iPhone App

I upgraded today my cx and it works just fine thank you very much for your help!!!

Sent from Cisco Technical Support iPhone App