59-11
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter59 Configuring the ASA CX Module
Configuring the ASA CX Module
Redirecting Traffic to the ASA CX Module
This section identifies traffic to redirect from the ASA to the ASA CX module. Configure this policy on
the ASA.
Note When using PRSM in multiple device mode, you can configure the ASA policy for sending traffic to the
ASA CX module within PRSM, instead of using ASDM or the ASA CLI. However, PRSM has some
limitations when configuring the ASA service policy; see the ASA CX user guide for more information.
Prerequisites
If you enable the authentication proxy on the ASA using this procedure, be sure to also configure a
directory realm for authentication on the ASA CX module. See the ASA CX user guide for more
information.
Detailed Steps
Command Purpose
Step1 class-map name
Example:
hostname(config)# class-map cx_class
Creates a class map to identify the traffic for which you want to
send to the ASA CX module.
If you want to send multiple traffic classes to the ASA CX
module, you can create multiple class maps for use in the security
policy.
Step2 match parameter
Example:
hostname(config-cmap)# match access-list
cx_traffic
Specifies the traffic in the class map. See the “Identifying Traffic
(Layer 3/4 Class Maps)” section on page 32-12 for more
information.
Step3 policy-map name
Example:
hostname(config)# policy-map cx_policy
Adds or edits a policy map that sets the actions to take with the
class map traffic.
Step4 class name
Example:
hostname(config-pmap)# class cx_class
Identifies the class map you created in Step 1.
Step5 cxsc {fail-close | fail-open} [auth-proxy]
Example:
hostname(config-pmap-c)# cxsc fail-close
auth-proxy
Specifies that the traffic should be sent to the ASA CX module.
The fail-close keyword sets the ASA to block all traffic if the ASA
CX module is unavailable.
The fail-open keyword sets the ASA to allow all traffic through,
uninspected, if the ASA CX module is unavailable.
The auth-proxy keyword enables the authentication proxy, which
is required for active authentication.