Cisco ASA 5505 User Manual

Page 1285

Advertising
background image

60-17

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 60 Configuring the ASA CSC Module

Configuration Examples for the CSC SSM

The second policy, csc_in_policy, is applied to the outside interface and uses the csc_in access list
to ensure that requests for SMTP and HTTP originating on the outside interface and destined for the
DMZ network are scanned by the CSC SSM. Scanning HTTP requests protects the web server from
HTTP file uploads.

hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 21

hostname(config)# access-list csc_out deny tcp 192.168.10.0 255.255.255.0 192.168.20.0

255.255.255.0 eq 80

hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 80

hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 110

hostname(config)# class-map csc_outbound_class

hostname(config-cmap)# match access-list csc_out

hostname(config-cmap)# policy-map csc_out_policy

hostname(config-pmap)# class csc_outbound_class

hostname(config-pmap-c)# csc fail-close

hostname(config-pmap-c)# service-policy csc_out_policy interface inside

hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 25

hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80

hostname(config)# class-map csc_inbound_class

hostname(config-cmap)# match access-list csc_in

hostname(config-cmap)# policy-map csc_in_policy

hostname(config-pmap)# class csc_inbound_class

hostname(config-pmap-c)# csc fail-close

hostname(config-pmap-c)# service-policy csc_in_policy interface outside

The following example shows how to use an access list to exempt the traffic from being matched by the
policy map and prevent the ASA from sending traffic to the CSC SSM:

hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 21

hostname(config)# access-list csc_out deny tcp 192.168.10.0 255.255.255.0 192.168.20.0

255.255.255.0 eq 80

hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 80

hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 110

The following example shows how to add an ACE to the csc_out access list to exclude HTTP connections
between the trusted external web server and inside hosts from being scanned by the CSC SSM:

hostname(config)# access-list csc_out deny tcp 192.168.10.0 255.255.255.0 209.165.201.7

255.255.255.255 eq 80

The following example shows how to use the access list on the service policy applied to the outside
interface:

hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 25

The following example shows how to add an ACE to the csc_in access list to use the CSC SSM to protect
the web server on a DMZ network from infected files uploaded by HTTP from external hosts:

hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals