06-06-2007 08:47 AM - edited 03-09-2019 06:08 PM
During the bootup, I get a series of
...WARNING: CSC can ONLY scan TCP traffic that is destined to port 80 (HTTP), 25 (SMTP), 110 (POP3), or 21 (FTP) when configured. Any other type of traffic, ev
en if configured, will not be scanned.
*** Output from config line 387, " csc fail-open")
One for each port. I know the CSc fail-open is to pass the traffic if csc fails, but what about the rest of the message. ? Normal?
06-06-2007 09:06 AM
Yes its normal. Its just informing you that CSC-SSM module can scan only scan the specified traffic.
If any other traffic like https or if you are looking at scanning tftp traffic or some netbios traffic it won't be scanned by the csc module.
Your config for diverting the traffic through the CSC would look like:
access-list csc extended permit tcp any any eq ftp
access-list csc extended permit tcp any any eq www
access-list csc extended permit tcp any any eq https
access-list csc extended permit tcp any any eq pop3
!
class-map cscmap
match access-list csc
!
policy-map cscpolicy
class cscmap
csc fail-open
!
service-policy cscpolicy interface outside
service-policy cscpolicy interface inside
!
-Hoogen
Do rate if this post helps :)
06-06-2007 09:38 AM
This one looks a bit different, it doesnt appear to use an ACL.
class-map FTP
match port tcp eq ftp
class-map http
match port tcp eq www
class-map SMTP
match port tcp eq smtp
class-map inspection_default
match default-inspection-traffic
class-map POP3
match port tcp eq pop3
!
policy-map inside-policy
class http
csc fail-open
class POP3
csc fail-open
class FTP
csc fail-open
class SMTP
csc fail-open
This was all done via the gui.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide