Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Problem Connecting to CX module on ASA 5515

I am trying to setup PRSM and the CX module on a Cisco ASA 5515. I have PRSM setup on a VM on 10.10.0.18 at my main site, I have the ASA installed at another site with an internal interface IP address of 192.168.36.2 and the two sites are connected via an MPLS circuit. I gave the CX module an IP address of 192.168.36.3, now I can ping and access the ASA on 192.168.36.2 and PRSM “sees” the ASA. I cannot ping and PRSM does not “see” the 192.168.36.3 CX Module. What do I need to do to get traffic to the CX?

 

Thanks,

Mike

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

It sounds like your setup

It sounds like your setup will be a bit problematic for the ASA. First, the m0/0 interface needs to be connected to the switch. Otherwise the CX is not connected to the network.

Then you could change the Default-gateway of the CX to point to the MPLS-router. At least you should be able to communicate then with your PRSM-server. But the CX also needs internet-access. For that you need a default-route pointing back to the ASA-inside IP on the MPLS-router or an internal proxy-server.

If you can connect to the ASA, then you can session to the module without being on-site.

5 REPLIES
VIP Purple

It's very likely that you are

It's very likely that you are running into a routing-problem here:

I assume that your MPLS is not attached to the ASA, but to a switch that is internal to the ASA? And the gateway of the CX points to the ASA inside interface as it's shown in the config guide? Then it can't work because the ASA would need to hairpin the traffic to send it to the MPLS. In a situation like this you could change the DG of the CX-module to your inside router/L3-switch. That way your CX should be able to reach to your PRSM.

Thanks for helping. The

Thanks for helping.

 

The inside interface is connected to a layer 2 switch which is connected to the MPLS interface and the inside interface on the ASA.

I have to go on site and double check the CX default gateway and make sure I set that to be 192.168.36.2 which is the inside interface.

ASA Gi0/1 - 192.168.36.2 .........connects to a layer 2 switch

MPLS router Gi0/1 - 192.168.36.1 ..........also connects to the same layer 2 switch

Do I need to connect the Management 0/0 interface to the switch also?

I gave the CX module an IP address of 192.168.36.3 but I have to double check the gateway as I may have given it 192.168.36.1 by mistake.

 

Mike

VIP Purple

It sounds like your setup

It sounds like your setup will be a bit problematic for the ASA. First, the m0/0 interface needs to be connected to the switch. Otherwise the CX is not connected to the network.

Then you could change the Default-gateway of the CX to point to the MPLS-router. At least you should be able to communicate then with your PRSM-server. But the CX also needs internet-access. For that you need a default-route pointing back to the ASA-inside IP on the MPLS-router or an internal proxy-server.

If you can connect to the ASA, then you can session to the module without being on-site.

Thanks for the info. I do

Thanks for the info. I do have internet access and it is connected to interface Gi0/0 on the ASA.

I am heading on site to connect the Management interface to the layer 2 switch and will let you know how that goes.

 

Thanks again for your help and stay tuned.

 

Mike

 

Thanks for all your help the

Thanks for all your help the above worked.

 

For others I used this....

 

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/cx/cx_qsg.html

97
Views
10
Helpful
5
Replies
CreatePlease to create content