ASA CX Looks Good With No Java and new Hard Drives!

For those of you who work on ASA's quite often you'll know that there's more and more, specifically SSL VPN related configurations, that you have to do with ASDM as opposed to the CLI. This forces us to use our old friend (read: nemesis) Java. It's become quite a bit more polished over the versions, but still, using it to configure the ASA can sometimes be like pulling teeth. It Hurts! But here is some light at the end of the tunnel!

Getting A Peek at the ASA CX

ASA cx1

The new ASA CX was demonstrated to delegates at Networking Field Day 3 in San Jose, and I must say it looks pretty slick. It uses the SecureX Framework and for those of you who are unfamiliar with that framework I suggest a read over at Cisco's Landing Page for SecureX. It leverages global and local security information for dynamic, real-time threat protection. One way that the SecureX framework leverages global security intelligence is by collecting customer data, which you have the option to opt-in to. Some may not like this idea, so be sure to pay attention when you initially set up your devices that are part of this SecureX framework (IPS, ASA, etc). You can chose not to send data, but the device still receives data.

Getting back to the introduction the ASA CX, as the demo proceeded, one of the delegates piped up and asked, "What's it using for management?" The response… HTML5. That's right, no java is needed to manage the ASA CX using Cisco Prime Security Manager.


The ASA CX is sitting on the UC hardware and is in the form of a blade. Here's a look at the box that was sitting in front of us during the NFD presentation.


There are two models of ASA CX, the ASA CX SSP-10 and ASA CX SSP-20. Both have 600GB hard drives, which is a little new to the realm of ASA's. In the past, there were no hard drives because they didn't store all the data on box that they do now. These disks are hot swappable and there are two of them that can be seen in the image below.

Also, you can see in the images that there are two blades in the Chassis. The lower blade is the ASA and the upper blade is running a standalone version of Cisco Prime Security Manager. Packets handled by the interfaces on the blade with Cisco Prime are moved in hardware across the backplane to be processed by the ASA. What's nice about this setup is that Cisco Prime Security Manager is NOT ASDM. You can still use ASDM to manage the ASA CX if you want, but with Cisco Prime, who would want to? The Cisco Prime Security Manager interface is a web based interface that uses HTML5 to navigate configuration elements and display information about the ASA CX.


If you'd like the see the demo that Cisco has published I've embedded it below. This demo was done by Brian Conklin, the Cisco TME that presented to the Field Day delegates. This video does a good job of moving through the device features minus the distractions of delegate questions about features and capabilities that came to mind.

One a side note, if you like watching videos about technologies like this, there are a ton of other videos produced during NFD3 and available for you to view on Vimeo. To find them head over to and select the field day that you're interested in.

My Take

I think the ASA has made some great progress. While I love the CLI, I understand the necessity for a web based management solution and I think that the Cisco Prime Security Manager is heading in the right direction. It's easy to complain about what vendors have and what they dont have, what they support and what they don't support, and that's fine. Most of us want to find the perfect solution for our given environment. I just dont think there is one. But, could this solution be leading the pack of tools that are available? Maybe, but you'll have to get your hands on it to find out. Anyone want to send me one?