SlideShare a Scribd company logo

ASA CSC Module

P
Pratik Bhide
1 of 3
Download to read offline
Information About the CSC SSM Some ASA models support the CSC SSM, which runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic by scanning the FTP, HTTP/HTTPS, POP3, and SMTP packets that you configure the ASA to send to it. Determining What Traffic to Scan The CSC SSM can scan FTP, HTTP/HTTPS, POP3, and SMTP traffic only when the destination port of the packet requesting the connection is the well-known port for the specified protocol. The CSC SSM can scan only the following connections: •FTP connections opened to TCP port 21. •HTTP connections opened to TCP port 80. •HTTPS connections opened to TCP port 443. •POP3 connections opened to TCP port 110. •SMTP connections opened to TCP port 25. You can apply service policies that include CSC scanning globally or to specific interfaces; therefore, you can choose to enable CSC scans globally or for specific interfaces. Licensing Requirements for the CSC SSM Model & License Requirement ASA 5510 Base License—Supports SMTP virus scanning, POP3 virus scanning and content filtering, web mail virus scanning, HTTP file blocking, FTP virus scanning and file blocking, logging, and automatic updates. Supports two contexts. Optional licenses: 5 contexts. Security Plus License—Supports the Base license features, plus SMTP anti-spam, SMTP content filtering, POP3 anti-spam, URL blocking, and URL filtering. Supports two contexts. Optional license: 5 contexts. ASA 5520 Base License—Supports all features. Supports two contexts. Optional licenses: 5, 10, or 20 contexts.
ASA 5540 Base License—Supports all features. Supports two contexts. Optional licenses: 5, 10, 20, or 50 contexts. You must obtain the following information to use in configuring the CSC SSM: –The CSC SSM management port IP address, netmask, and gateway IP address. –DNS server IP address. –HTTP proxy server IP address (needed only if your security policies require the use of a proxy server for HTTP access to the Internet). –Domain name and hostname for the CSC SSM. –An e-mail address and an SMTP server IP address and port number for e-mail notifications. –E-mail address(es) for product license renewal notifications. –IP addresses of hosts or networks that are allowed to manage the CSC SSM. The IP addresses for the CSC SSM management port and the ASA management interface can be in different subnets. –Password for the CSC SSM. To configure the ASA to divert traffic to the CSC SSM, perform the following steps: hostname(config)# access-list extended Creates an access list that matches the traffic you want scanned by the CSC SSM. Create as many ACEs as are needed to match all the traffic. For example, to specify FTP, HTTP/HTTPS, POP3, and SMTP traffic, you need four ACEs. hostname(config)# class-map class_map_name Creates a class map to identify the traffic that should be diverted to the CSC SSM. The class_map_name argument is the name of the traffic class. When you enter the class-map command, the CLI enters class map configuration mode. hostname(config-cmap)# match access-list acl-name Identifies the traffic to be scanned with the access list that you created in Step 1. The acl-name argument is the name of the access list. hostname(config-cmap)# policy-map policy_map_name
Creates a policy map or modify an existing policy map that you want to use to send traffic to the CSC SSM. The policy_map_name argument is the name of the policy map. When you enter the policy-map command, the CLI enters policy map configuration mode. hostname(config-pmap)# class class_map_name Specifies the class map, created in Step 2, that identifies the traffic to be scanned. The class_map_name argument is the name of the class map that you created in Step 2. The CLI enters the policy map class configuration mode. hostname(config-pmap-c)# csc {fail-close | fail-open} Enables traffic scanning with the CSC SSM and assigns the traffic identified by the class map as traffic to be sent to the CSC SSM. Must be part of a service policy, which can be applied globally or to specific interfaces. Ensures that all unencrypted connections through the ASA are scanned by the CSC SSM hostname(config-pmap-c)# service-policy policy_map_name [global | interface interface_ID] Applies the policy map globally or to a specific interface. To reset the module password to the default of cisco, perform the following steps. hostname# hw-module module 1 password-reset To reload or reset the module, enter one of the following commands at the ASA CLI. hostname# hw-module module 1 reload

Recommended

TCP Filtering on ASA
TCP Filtering on ASATCP Filtering on ASA
TCP Filtering on ASAPratik Bhide
 
Conns connlimits
Conns connlimitsConns connlimits
Conns connlimitsAleksei Kurepin
 
How to set ssh telnet-http connection timeout using mpf for asa 8.3 and later
How to set ssh telnet-http connection timeout using mpf for asa 8.3 and laterHow to set ssh telnet-http connection timeout using mpf for asa 8.3 and later
How to set ssh telnet-http connection timeout using mpf for asa 8.3 and latercandy tang
 
PPP
PPPPPP
PPPguest6206a05
 
Firewalld
FirewalldFirewalld
FirewalldSagar Gor
 
Computer network (11)
Computer network (11)Computer network (11)
Computer network (11)NYversity
 
TCP Intercept
TCP InterceptTCP Intercept
TCP InterceptNetwax Lab
 
SMS Gateway
SMS GatewaySMS Gateway
SMS GatewayTeleDNA_Communications
 

Recommended

TCP Filtering on ASA
TCP Filtering on ASATCP Filtering on ASA
TCP Filtering on ASAPratik Bhide
 
Conns connlimits
Conns connlimitsConns connlimits
Conns connlimitsAleksei Kurepin
 
How to set ssh telnet-http connection timeout using mpf for asa 8.3 and later
How to set ssh telnet-http connection timeout using mpf for asa 8.3 and laterHow to set ssh telnet-http connection timeout using mpf for asa 8.3 and later
How to set ssh telnet-http connection timeout using mpf for asa 8.3 and latercandy tang
 
PPP
PPPPPP
PPPguest6206a05
 
Firewalld
FirewalldFirewalld
FirewalldSagar Gor
 
Computer network (11)
Computer network (11)Computer network (11)
Computer network (11)NYversity
 
TCP Intercept
TCP InterceptTCP Intercept
TCP InterceptNetwax Lab
 
SMS Gateway
SMS GatewaySMS Gateway
SMS GatewayTeleDNA_Communications
 
D E S
D E SD E S
D E Ssachin54
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN NetProtocol Xpert
 
Pause frames an overview
Pause frames an overviewPause frames an overview
Pause frames an overviewMapYourTech
 
Configuration IPTables On CentOS 8
Configuration IPTables On CentOS 8Configuration IPTables On CentOS 8
Configuration IPTables On CentOS 8Kaan Aslandağ
 
LOAD BALANCING PCC MENGGUNAKAN 2 SPEEDY
LOAD BALANCING PCC MENGGUNAKAN 2 SPEEDYLOAD BALANCING PCC MENGGUNAKAN 2 SPEEDY
LOAD BALANCING PCC MENGGUNAKAN 2 SPEEDYAdhie Lesmana
 
How to install and configure Postfix Mail Server in Redhat (RHEL) / CentOS Linux
How to install and configure Postfix Mail Server in Redhat (RHEL) / CentOS LinuxHow to install and configure Postfix Mail Server in Redhat (RHEL) / CentOS Linux
How to install and configure Postfix Mail Server in Redhat (RHEL) / CentOS Linuxonlinerana
 
Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8Kaan Aslandağ
 
Arsp setup
Arsp setupArsp setup
Arsp setupDishHD Asia
 
T Tcp
T TcpT Tcp
T TcpRam Dutt Shukla
 
Configure vtp
Configure vtpConfigure vtp
Configure vtpJavier Jimenez
 
Chap 23 ip over atm
Chap 23 ip over atmChap 23 ip over atm
Chap 23 ip over atmNoctorous Jamal
 
QoS marking on cisco IOS Router
QoS marking on cisco IOS RouterQoS marking on cisco IOS Router
QoS marking on cisco IOS RouterNetProtocol Xpert
 
Sapc upcc-pcrf- part 1 tbp
Sapc upcc-pcrf- part 1 tbpSapc upcc-pcrf- part 1 tbp
Sapc upcc-pcrf- part 1 tbpMustafa Golam
 
QoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterQoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterNetProtocol Xpert
 
Congestion control Assignment Help
Congestion control Assignment HelpCongestion control Assignment Help
Congestion control Assignment HelpJosephErin
 
Networking Puzzle
Networking PuzzleNetworking Puzzle
Networking PuzzleAalok Shah
 
Route static Configuration
Route static ConfigurationRoute static Configuration
Route static ConfigurationGausul Azam
 
Troubleshooting TCP/IP
Troubleshooting TCP/IPTroubleshooting TCP/IP
Troubleshooting TCP/IPvijai s
 
Chap 13 stream control transmission protocol
Chap 13 stream control transmission protocolChap 13 stream control transmission protocol
Chap 13 stream control transmission protocolNoctorous Jamal
 
Unable to access the net app cluster mode 9.2 san through gui after power mai...
Unable to access the net app cluster mode 9.2 san through gui after power mai...Unable to access the net app cluster mode 9.2 san through gui after power mai...
Unable to access the net app cluster mode 9.2 san through gui after power mai...Saroj Sahu
 
IPSec_VPN_Final_
IPSec_VPN_Final_IPSec_VPN_Final_
IPSec_VPN_Final_Pratik Bhide
 
TransitCapitalVisionReport_20140514
TransitCapitalVisionReport_20140514TransitCapitalVisionReport_20140514
TransitCapitalVisionReport_20140514Adam Bejan Parast
 

More Related Content

What's hot

Pause frames an overview
Pause frames an overviewPause frames an overview
Pause frames an overviewMapYourTech
 
Configuration IPTables On CentOS 8
Configuration IPTables On CentOS 8Configuration IPTables On CentOS 8
Configuration IPTables On CentOS 8Kaan Aslandağ
 
LOAD BALANCING PCC MENGGUNAKAN 2 SPEEDY
LOAD BALANCING PCC MENGGUNAKAN 2 SPEEDYLOAD BALANCING PCC MENGGUNAKAN 2 SPEEDY
LOAD BALANCING PCC MENGGUNAKAN 2 SPEEDYAdhie Lesmana
 
How to install and configure Postfix Mail Server in Redhat (RHEL) / CentOS Linux
How to install and configure Postfix Mail Server in Redhat (RHEL) / CentOS LinuxHow to install and configure Postfix Mail Server in Redhat (RHEL) / CentOS Linux
How to install and configure Postfix Mail Server in Redhat (RHEL) / CentOS Linuxonlinerana
 
Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8Kaan Aslandağ
 
QoS marking on cisco IOS Router
QoS marking on cisco IOS RouterQoS marking on cisco IOS Router
QoS marking on cisco IOS RouterNetProtocol Xpert
 
Sapc upcc-pcrf- part 1 tbp
Sapc upcc-pcrf- part 1 tbpSapc upcc-pcrf- part 1 tbp
Sapc upcc-pcrf- part 1 tbpMustafa Golam
 
QoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterQoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterNetProtocol Xpert
 
Congestion control Assignment Help
Congestion control Assignment HelpCongestion control Assignment Help
Congestion control Assignment HelpJosephErin
 
Networking Puzzle
Networking PuzzleNetworking Puzzle
Networking PuzzleAalok Shah
 
Route static Configuration
Route static ConfigurationRoute static Configuration
Route static ConfigurationGausul Azam
 
Troubleshooting TCP/IP
Troubleshooting TCP/IPTroubleshooting TCP/IP
Troubleshooting TCP/IPvijai s
 
Chap 13 stream control transmission protocol
Chap 13 stream control transmission protocolChap 13 stream control transmission protocol
Chap 13 stream control transmission protocolNoctorous Jamal
 
Unable to access the net app cluster mode 9.2 san through gui after power mai...
Unable to access the net app cluster mode 9.2 san through gui after power mai...Unable to access the net app cluster mode 9.2 san through gui after power mai...
Unable to access the net app cluster mode 9.2 san through gui after power mai...Saroj Sahu
 

What's hot (20)

D E S
D E SD E S
D E S
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN
 
Pause frames an overview
Pause frames an overviewPause frames an overview
Pause frames an overview
 
Configuration IPTables On CentOS 8
Configuration IPTables On CentOS 8Configuration IPTables On CentOS 8
Configuration IPTables On CentOS 8
 
LOAD BALANCING PCC MENGGUNAKAN 2 SPEEDY
LOAD BALANCING PCC MENGGUNAKAN 2 SPEEDYLOAD BALANCING PCC MENGGUNAKAN 2 SPEEDY
LOAD BALANCING PCC MENGGUNAKAN 2 SPEEDY
 
How to install and configure Postfix Mail Server in Redhat (RHEL) / CentOS Linux
How to install and configure Postfix Mail Server in Redhat (RHEL) / CentOS LinuxHow to install and configure Postfix Mail Server in Redhat (RHEL) / CentOS Linux
How to install and configure Postfix Mail Server in Redhat (RHEL) / CentOS Linux
 
Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8
 
Arsp setup
Arsp setupArsp setup
Arsp setup
 
T Tcp
T TcpT Tcp
T Tcp
 
Configure vtp
Configure vtpConfigure vtp
Configure vtp
 
Chap 23 ip over atm
Chap 23 ip over atmChap 23 ip over atm
Chap 23 ip over atm
 
QoS marking on cisco IOS Router
QoS marking on cisco IOS RouterQoS marking on cisco IOS Router
QoS marking on cisco IOS Router
 
Sapc upcc-pcrf- part 1 tbp
Sapc upcc-pcrf- part 1 tbpSapc upcc-pcrf- part 1 tbp
Sapc upcc-pcrf- part 1 tbp
 
QoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterQoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS Router
 
Congestion control Assignment Help
Congestion control Assignment HelpCongestion control Assignment Help
Congestion control Assignment Help
 
Networking Puzzle
Networking PuzzleNetworking Puzzle
Networking Puzzle
 
Route static Configuration
Route static ConfigurationRoute static Configuration
Route static Configuration
 
Troubleshooting TCP/IP
Troubleshooting TCP/IPTroubleshooting TCP/IP
Troubleshooting TCP/IP
 
Chap 13 stream control transmission protocol
Chap 13 stream control transmission protocolChap 13 stream control transmission protocol
Chap 13 stream control transmission protocol
 
Unable to access the net app cluster mode 9.2 san through gui after power mai...
Unable to access the net app cluster mode 9.2 san through gui after power mai...Unable to access the net app cluster mode 9.2 san through gui after power mai...
Unable to access the net app cluster mode 9.2 san through gui after power mai...
 

Viewers also liked

TransitCapitalVisionReport_20140514
TransitCapitalVisionReport_20140514TransitCapitalVisionReport_20140514
TransitCapitalVisionReport_20140514Adam Bejan Parast
 
Your wiki’s settings tutorial (pbworks)
Your wiki’s settings tutorial (pbworks)Your wiki’s settings tutorial (pbworks)
Your wiki’s settings tutorial (pbworks)Paul L
 
F08 9543-015 hoja de vida aprendiz dayana arcila osorno
F08 9543-015 hoja de vida aprendiz dayana arcila osornoF08 9543-015 hoja de vida aprendiz dayana arcila osorno
F08 9543-015 hoja de vida aprendiz dayana arcila osornolasmaslindas1221
 
Packet Inspection on ASA
Packet Inspection on ASAPacket Inspection on ASA
Packet Inspection on ASAPratik Bhide
 
Folder investire in con planimetria ridotto
Folder investire in con planimetria ridottoFolder investire in con planimetria ridotto
Folder investire in con planimetria ridottoNexinvest srl
 
Traumatic eye injury hypothetical case presentaion
Traumatic eye injury hypothetical case presentaionTraumatic eye injury hypothetical case presentaion
Traumatic eye injury hypothetical case presentaionmeducationdotnet
 
Sistema Aduanero en México
Sistema Aduanero en MéxicoSistema Aduanero en México
Sistema Aduanero en MéxicoJehieli Aranda
 
Diet soda and weight loss: New study reignites debate
Diet soda and weight loss: New study reignites debateDiet soda and weight loss: New study reignites debate
Diet soda and weight loss: New study reignites debatebumpytechnique370
 
CISCO Exact Questions By: Konard
CISCO Exact Questions By: KonardCISCO Exact Questions By: Konard
CISCO Exact Questions By: KonardEng. Emad Al-Atoum
 
Implementing Cisco IP Switched Networks
Implementing Cisco IP Switched NetworksImplementing Cisco IP Switched Networks
Implementing Cisco IP Switched NetworksArchana Parameshwari
 
Cisco BGP Exam 642-661 Review Notes
Cisco BGP Exam 642-661 Review NotesCisco BGP Exam 642-661 Review Notes
Cisco BGP Exam 642-661 Review NotesDuane Bodle
 
Regular Expression Patterns
Regular Expression PatternsRegular Expression Patterns
Regular Expression PatternsDuane Bodle
 
NAT- Network Address Translation
NAT- Network Address TranslationNAT- Network Address Translation
NAT- Network Address TranslationEng. Emad Al-Atoum
 
IPv4 Final /8 Delegation Report
IPv4 Final /8 Delegation ReportIPv4 Final /8 Delegation Report
IPv4 Final /8 Delegation ReportAPNIC
 

Viewers also liked (19)

IPSec_VPN_Final_
IPSec_VPN_Final_IPSec_VPN_Final_
IPSec_VPN_Final_
 
TransitCapitalVisionReport_20140514
TransitCapitalVisionReport_20140514TransitCapitalVisionReport_20140514
TransitCapitalVisionReport_20140514
 
Your wiki’s settings tutorial (pbworks)
Your wiki’s settings tutorial (pbworks)Your wiki’s settings tutorial (pbworks)
Your wiki’s settings tutorial (pbworks)
 
F08 9543-015 hoja de vida aprendiz dayana arcila osorno
F08 9543-015 hoja de vida aprendiz dayana arcila osornoF08 9543-015 hoja de vida aprendiz dayana arcila osorno
F08 9543-015 hoja de vida aprendiz dayana arcila osorno
 
Tribus urbanas
Tribus urbanasTribus urbanas
Tribus urbanas
 
Packet Inspection on ASA
Packet Inspection on ASAPacket Inspection on ASA
Packet Inspection on ASA
 
Cheatsheet: Netcat
Cheatsheet: NetcatCheatsheet: Netcat
Cheatsheet: Netcat
 
Folder investire in con planimetria ridotto
Folder investire in con planimetria ridottoFolder investire in con planimetria ridotto
Folder investire in con planimetria ridotto
 
Traumatic eye injury hypothetical case presentaion
Traumatic eye injury hypothetical case presentaionTraumatic eye injury hypothetical case presentaion
Traumatic eye injury hypothetical case presentaion
 
Sistema Aduanero en México
Sistema Aduanero en MéxicoSistema Aduanero en México
Sistema Aduanero en México
 
Diet soda and weight loss: New study reignites debate
Diet soda and weight loss: New study reignites debateDiet soda and weight loss: New study reignites debate
Diet soda and weight loss: New study reignites debate
 
CISCO Exact Questions By: Konard
CISCO Exact Questions By: KonardCISCO Exact Questions By: Konard
CISCO Exact Questions By: Konard
 
Implementing Cisco IP Switched Networks
Implementing Cisco IP Switched NetworksImplementing Cisco IP Switched Networks
Implementing Cisco IP Switched Networks
 
Cisco BGP Exam 642-661 Review Notes
Cisco BGP Exam 642-661 Review NotesCisco BGP Exam 642-661 Review Notes
Cisco BGP Exam 642-661 Review Notes
 
SIP PRIMER
SIP PRIMERSIP PRIMER
SIP PRIMER
 
NAT_Final
NAT_FinalNAT_Final
NAT_Final
 
Regular Expression Patterns
Regular Expression PatternsRegular Expression Patterns
Regular Expression Patterns
 
NAT- Network Address Translation
NAT- Network Address TranslationNAT- Network Address Translation
NAT- Network Address Translation
 
IPv4 Final /8 Delegation Report
IPv4 Final /8 Delegation ReportIPv4 Final /8 Delegation Report
IPv4 Final /8 Delegation Report
 

Similar to ASA CSC Module

IBM MQ Channel Authentication
IBM MQ Channel AuthenticationIBM MQ Channel Authentication
IBM MQ Channel AuthenticationIBM Systems UKI
 
1. Task In this assignment you are asked to provide named.pdf
1. Task In this assignment you are asked to provide named.pdf 1. Task In this assignment you are asked to provide named.pdf
1. Task In this assignment you are asked to provide named.pdfalokopticalswatchco0
 
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...abdenour boussioud
 
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docxINFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docxcarliotwaycave
 
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routersConfiguring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routersphosika sithisane
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214Mac An
 
WebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changesWebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changesMorag Hughson
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data planeNetProtocol Xpert
 
5 ip security ipsec gre
5 ip security ipsec gre5 ip security ipsec gre
5 ip security ipsec greSagarR24
 
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceNetwork Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceCloudian
 
Remote access service
Remote access serviceRemote access service
Remote access serviceApoorw Pandey
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)NYversity
 

Similar to ASA CSC Module (20)

IBM MQ Channel Authentication
IBM MQ Channel AuthenticationIBM MQ Channel Authentication
IBM MQ Channel Authentication
 
1. Task In this assignment you are asked to provide named.pdf
1. Task In this assignment you are asked to provide named.pdf 1. Task In this assignment you are asked to provide named.pdf
1. Task In this assignment you are asked to provide named.pdf
 
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...
Best practices for catalyst 4500 4000, 5500-5000, and 6500-6000 series switch...
 
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docxINFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
 
Socketcan
SocketcanSocketcan
Socketcan
 
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference GuideAruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
 
Chapter 9
Chapter 9Chapter 9
Chapter 9
 
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routersConfiguring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214
 
WebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changesWebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changes
 
SCE 2
SCE 2SCE 2
SCE 2
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data plane
 
5 ip security ipsec gre
5 ip security ipsec gre5 ip security ipsec gre
5 ip security ipsec gre
 
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceNetwork Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
 
Remote access service
Remote access serviceRemote access service
Remote access service
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
 
F5 tcpdump
F5 tcpdumpF5 tcpdump
F5 tcpdump
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure Communication
 

ASA CSC Module

  • 1. Information About the CSC SSM Some ASA models support the CSC SSM, which runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic by scanning the FTP, HTTP/HTTPS, POP3, and SMTP packets that you configure the ASA to send to it. Determining What Traffic to Scan The CSC SSM can scan FTP, HTTP/HTTPS, POP3, and SMTP traffic only when the destination port of the packet requesting the connection is the well-known port for the specified protocol. The CSC SSM can scan only the following connections: •FTP connections opened to TCP port 21. •HTTP connections opened to TCP port 80. •HTTPS connections opened to TCP port 443. •POP3 connections opened to TCP port 110. •SMTP connections opened to TCP port 25. You can apply service policies that include CSC scanning globally or to specific interfaces; therefore, you can choose to enable CSC scans globally or for specific interfaces. Licensing Requirements for the CSC SSM Model & License Requirement ASA 5510 Base License—Supports SMTP virus scanning, POP3 virus scanning and content filtering, web mail virus scanning, HTTP file blocking, FTP virus scanning and file blocking, logging, and automatic updates. Supports two contexts. Optional licenses: 5 contexts. Security Plus License—Supports the Base license features, plus SMTP anti-spam, SMTP content filtering, POP3 anti-spam, URL blocking, and URL filtering. Supports two contexts. Optional license: 5 contexts. ASA 5520 Base License—Supports all features. Supports two contexts. Optional licenses: 5, 10, or 20 contexts.
  • 2. ASA 5540 Base License—Supports all features. Supports two contexts. Optional licenses: 5, 10, 20, or 50 contexts. You must obtain the following information to use in configuring the CSC SSM: –The CSC SSM management port IP address, netmask, and gateway IP address. –DNS server IP address. –HTTP proxy server IP address (needed only if your security policies require the use of a proxy server for HTTP access to the Internet). –Domain name and hostname for the CSC SSM. –An e-mail address and an SMTP server IP address and port number for e-mail notifications. –E-mail address(es) for product license renewal notifications. –IP addresses of hosts or networks that are allowed to manage the CSC SSM. The IP addresses for the CSC SSM management port and the ASA management interface can be in different subnets. –Password for the CSC SSM. To configure the ASA to divert traffic to the CSC SSM, perform the following steps: hostname(config)# access-list extended Creates an access list that matches the traffic you want scanned by the CSC SSM. Create as many ACEs as are needed to match all the traffic. For example, to specify FTP, HTTP/HTTPS, POP3, and SMTP traffic, you need four ACEs. hostname(config)# class-map class_map_name Creates a class map to identify the traffic that should be diverted to the CSC SSM. The class_map_name argument is the name of the traffic class. When you enter the class-map command, the CLI enters class map configuration mode. hostname(config-cmap)# match access-list acl-name Identifies the traffic to be scanned with the access list that you created in Step 1. The acl-name argument is the name of the access list. hostname(config-cmap)# policy-map policy_map_name
  • 3. Creates a policy map or modify an existing policy map that you want to use to send traffic to the CSC SSM. The policy_map_name argument is the name of the policy map. When you enter the policy-map command, the CLI enters policy map configuration mode. hostname(config-pmap)# class class_map_name Specifies the class map, created in Step 2, that identifies the traffic to be scanned. The class_map_name argument is the name of the class map that you created in Step 2. The CLI enters the policy map class configuration mode. hostname(config-pmap-c)# csc {fail-close | fail-open} Enables traffic scanning with the CSC SSM and assigns the traffic identified by the class map as traffic to be sent to the CSC SSM. Must be part of a service policy, which can be applied globally or to specific interfaces. Ensures that all unencrypted connections through the ASA are scanned by the CSC SSM hostname(config-pmap-c)# service-policy policy_map_name [global | interface interface_ID] Applies the policy map globally or to a specific interface. To reset the module password to the default of cisco, perform the following steps. hostname# hw-module module 1 password-reset To reload or reset the module, enter one of the following commands at the ASA CLI. hostname# hw-module module 1 reload