Cisco Systems and the ASA Services Module Manual De Usuario

You can redirect traffic to the ASA CX module by creating a service policy that identifies specific traffic. 
For demonstration purposes only, you can also enable monitor-only mode for the service policy, which 
forwards a copy of traffic to the ASA CX module, while the original traffic remains unaffected.

Another option for demonstration purposes is to configure a traffic-forwarding interface instead of a 
service policy in monitor-only mode. The traffic-forwarding interface sends all traffic directly to the 
ASA CX module, bypassing the ASA.

This section identifies traffic to redirect from the ASA to the ASA CX module. Configure this policy on 
the ASA. If you want to use a traffic-forwarding interface for demonstration purposes, skip this 
procedure and see the 

 instead.

When using PRSM in multiple device mode, you can configure the ASA policy for sending traffic to the 
ASA CX module within PRSM, instead of using ASDM or the ASA CLI. However, PRSM has some 
limitations when configuring the ASA service policy; see the ASA CX user guide for more information.

If you enable the authentication proxy on the ASA using this procedure, be sure to also configure a 
directory realm for authentication on the ASA CX module. See the ASA CX user guide for more 
information.

If you have an active service policy redirecting traffic to an IPS module (that you replaced with the 
ASA CX), you must remove that policy before you configure the ASA CX service policy.

Be sure to configure both the ASA policy and the ASA CX to have matching modes: both in 
monitor-only mode, or both in normal inline mode.

In multiple context mode, perform this procedure within each security context.