How the asa cx module works with the asa, Information about asa cx management – Cisco ASA 5505 User Manual

Page 1248

Advertising
background image

59-2

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 59 Configuring the ASA CX Module

Information About the ASA CX Module

How the ASA CX Module Works with the ASA

The ASA CX module runs a separate application from the ASA. The ASA CX module includes external
management interface(s) so you can connect to the ASA CX module directly. Any data interfaces on the
ASA CX module are used for ASA traffic only.

Traffic goes through the firewall checks before being forwarded to the ASA CX module. When you
identify traffic for ASA CX inspection on the ASA, traffic flows through the ASA and the ASA CX
module as follows:

1.

Traffic enters the ASA.

2.

Incoming VPN traffic is decrypted.

3.

Firewall policies are applied.

4.

Traffic is sent to the ASA CX module.

5.

The ASA CX module applies its security policy to the traffic, and takes appropriate actions.

6.

Valid traffic is sent back to the ASA; the ASA CX module might block some traffic according to its
security policy, and that traffic is not passed on.

7.

Outgoing VPN traffic is encrypted.

8.

Traffic exits the ASA.

Figure 59-1

shows the traffic flow when using the ASA CX module. In this example, the ASA CX

module automatically blocks traffic that is not allowed for a certain application. All other traffic is
forwarded through the ASA.

Figure 59-1

ASA CX Module Traffic Flow in the ASA

Note

If you have a connection between hosts on two ASA interfaces, and the ASA CX service policy is only
configured for one of the interfaces, then all traffic between these hosts is sent to the ASA CX module,
including traffic orginiating on the non-ASA CX interface (the feature is bidirectional). However, the
ASA only performs the authentication proxy on the interface to which the service policy is applied,
because this feature is ingress-only.

Information About ASA CX Management

Initial Configuration, page 59-3

ASA

Main System

ASA CX

Diverted Traffic

ASA CX inspection

VPN

Decryption

Firewall

Policy

Block

inside

outside

333470

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals