30-5
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter30 Configuring the ASA CX Module
Information About the ASA CX Module
or ASDM). However, physical characteristics (such as enabling the interface) are configured on
the ASA. You can remove the ASA interface configuration (specifically the interface name) to
dedicate this interface as an ASA CX-only interface. This interface is management-only.

Policy Configuration and Management

After you perform initial configuration, configure the ASA CX policy using Cisco Prime Security
Manager (PRSM). Then configure the ASA policy for sending traffic to the ASA CX module using
ASDM or the ASA CLI.
Note When using PRSM in multiple device mode, you can configure the ASA policy for sending traffic to the
ASA CX module within PRSM, instead of using ASDM or the ASA CLI. Using PRSM lets you
consolodate management to a single management system. However, PRSM has some limitations when
configuring the ASA service policy; see the ASA CX user guide for more information.
Information About Authentication Proxy
When the ASA CX needs to authenticate an HTTP user (to take advantage of identity policies), you must
configure the ASA to act as an authentication proxy: the ASA CX module redirects authentication
requests to the ASA interface IP address/proxy port. By default, the port is 885 (user configurable).
Configure this feature as part of the service policy to divert traffic from the ASA to the ASA CX module.
If you do not enable the authentication proxy, only passive authentication is available.
Note If you have a connection between hosts on two ASA interfaces, and the ASA CX service policy is only
configured for one of the interfaces, then all traffic between these hosts is sent to the ASA CX module,
including traffic orginiating on the non-ASA CX interface (the feature is bidirectional). However, the
ASA only performs the authentication proxy on the interface to which the service policy is applied,
because this feature is ingress-only.
Information About VPN and the ASA CX Module
The ASA includes VPN client and user authentication metadata from the Cisco AnyConnect client when
forwarding traffic to the ASA CX module, which allows the ASA CX module to include this information
as part of its policy lookup criteria. The VPN metadata is sent only at VPN tunnel establishment time
along with a type-length-value (TLV) containing the session ID. The ASA CX module caches the VPN
metadata for each session. Each tunneled connection sends the session ID so the ASA CX module can
look up that session’s metadata.
Compatibility with ASA Features
The ASA includes many advanced application inspection features, including HTTP inspection.
However, the ASACX module provides more advanced HTTP inspection than the ASA provides, as well
as additional features for other applications, including monitoring and controlling application usage.
To take full advantage of the ASA CX module features, see the following guidelines for traffic that you
send to the ASA CX module: