Cisco ASA 5505 User Manual

Page 1272

Advertising
background image

60-4

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 60 Configuring the ASA CSC Module

Information About the CSC SSM

Based on the configuration shown in

Figure 60-3

, configure the ASA to divert to the CSC SSM only

requests from clients on the inside network for HTTP, FTP, and POP3 connections to the outside
network, and incoming SMTP connections from outside hosts to the mail server on the DMZ network.
Exclude from scanning HTTP requests from the inside network to the web server on the DMZ network.

Figure 60-3

Common Network Configuration for CSC SSM Scanning

There are many ways you could configure the ASA to identify the traffic that you want to scan. One
approach is to define two service policies: one on the inside interface and the other on the outside
interface, each with access lists that match traffic to be scanned.

Figure 60-4

shows service policy rules that select only the traffic that the ASA should scan.

Figure 60-4

Optimized Traffic Selection for CSC Scans

In the inside-policy, the first class, inside-class1, ensures that the ASA does not scan HTTP traffic
between the inside network and the DMZ network. The Match column indicates this setting by
displaying the “Do not match” icon. This setting does not mean the ASA blocks traffic sent from the
192.168.10.0 network to TCP port 80 on the 192.168.20.0 network. Instead, this setting exempts the
traffic from being matched by the service policy applied to the inside interface, which prevents the ASA
from sending the traffic to the CSC SSM.

The second class of the inside-policy, inside-class matches FTP, HTTP, and POP3 traffic between the
inside network and any destination. HTTP connections to the DMZ network are exempted because of the
inside-class1 setting. As previously mentioned, policies that apply CSC scanning to a specific interface
affect both incoming and outgoing traffic, but by specifying 192.168.10.0 as the source network,
inside-class1 matches only connections initiated by the hosts on the inside network.

192.168.30.0

192.168.20.0
(dmz)

Web server

Mail server

192.168.10.0

Internet

outside

inside

ASA

143800

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals