Determining what traffic to scan – Cisco ASA 5505 User Manual

60-3

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 60 Configuring the ASA CSC Module

Information About the CSC SSM

Figure 60-2

CSC SSM Deployment with a Management Network

Determining What Traffic to Scan

The CSC SSM can scan FTP, HTTP/HTTPS, POP3, and SMTP traffic only when the destination port of
the packet requesting the connection is the well-known port for the specified protocol. The CSC SSM
can scan only the following connections:

•

FTP connections opened to TCP port 21.

•

HTTP connections opened to TCP port 80.

•

HTTPS connections opened to TCP port 443.

•

POP3 connections opened to TCP port 110.

•

SMTP connections opened to TCP port 25.

You can choose to scan traffic for all of these protocols or any combination of them. For example, if you
do not allow network users to receive POP3 e-mail, do not configure the ASA to divert POP3 traffic to
the CSC SSM. Instead, block this traffic.

To maximize performance of the ASA and the CSC SSM, divert only the traffic to the CSC SSM that
you want the CSC SSM to scan. Diverting traffic that you do not want scanned, such as traffic between
a trusted source and destination, can adversely affect network performance.

Note

When traffic is first classified for CSC inspection, it is flow-based. If traffic is part of a pre-existing
connection, the traffic goes directly to the service policy set for that connection.

You can apply service policies that include CSC scanning globally or to specific interfaces; therefore,
you can choose to enable CSC scans globally or for specific interfaces.

148387

192.168.100.1

192.168.50.1

Notifications

SMTP Server

192.168.50.38 SSM

management
port

10.6.13.67

Trend Micro

Update Server

ASA

Main System

inside

CSC SSM

outside

HTTP

Proxy

management port

ASDM

Syslog

Internet