Cisco ASA 5505 User Manual
Page 1280
60-12
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 60 Configuring the ASA CSC Module
Configuring the CSC SSM
Step 7
csc
{fail-close | fail-open}
Example:
hostname(config-pmap-c)# csc {fail-close |
fail-open}
Enables traffic scanning with the CSC SSM and
assigns the traffic identified by the class map as
traffic to be sent to the CSC SSM. Must be part of a
service policy, which can be applied globally or to
specific interfaces. Ensures that all unencrypted
connections through the ASA are scanned by the
CSC SSM; however, this setting may mean that
traffic from trusted sources is needlessly scanned. If
enabled in interface-specific service policies, this
command is bi-directional. Bi-directionality means
that when the ASA opens a new connection, if this
command is active on either the inbound or the
outbound interface of the connection and the class
map for the policy identifies traffic for scanning, the
ASA diverts this traffic to the CSC SSM. However,
bi-directionality also means that if you divert any of
the supported traffic types that cross a given interface
to the CSC SSM, it is probably performing
unnecessary scans on traffic from your trusted inside
networks. Therefore, to further limit the traffic
selected by the class maps of CSC SSM service
policies, we recommend using access lists that match
the following:
•
HTTP/HTTPS connections to outside networks.
•
FTP connections from clients inside the ASA to
servers outside the ASA.
•
POP3 connections from clients inside the ASA
to servers outside the ASA.
•
Incoming SMTP connections destined to inside
mail servers.
The fail-close and fail-open keywords control how
the ASA handles traffic when the CSC SSM is
unavailable. For more information about the
operating modes and failure behavior, see the
“Guidelines and Limitations” section on page 60-6
.
Step 8
service-policy
policy_map_name [global | interface
interface_ID]
Example:
hostname(config-pmap-c)# service-policy
policy_map_name [global | interface interface_ID]
Applies the policy map globally or to a specific
interface. The policy_map_name argument is the
policy map that you configured in Step 4. To apply
the policy map to traffic on all the interfaces, use the
global keyword. To apply the policy map to traffic on
a specific interface, use the interface interface_ID
keyword and argument pair, where interface_ID is
the name assigned to the interface with the nameif
command. Only one global policy is allowed. You
can override the global policy on an interface by
applying a service policy to that interface. You can
only apply one policy map to each interface.
Command
Purpose