ASA Content Security Module (Anti-X) issue

Answered Question
Sep 16th, 2007

Is there a way to configure the Anti-X module such as I can filter the web content based on source VLAN or subnet? I need to implement something like that and can?t find how to do it.

I have this problem too.
0 votes
Correct Answer by GRAEME DANIELSON about 9 years 2 months ago

OK I don't believe there is that level of granular control within the CSC. The closest I think would be to exclude selected internal IP address ranges from all URL filtering i.e. they can go anywhere.

I think you need something like a Websense service which the ASA can query for it's URL filtering decisions. Not sure about it's co-existence with the CSC though.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
GRAEME DANIELSON Mon, 09/17/2007 - 02:52

Traffic for CSC inspection is done using the Modular Policy Framework commands to create a service-policy

General modular policy info is here

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mpc.html

The service policy you create sends traffic to the CSC for inspection

The service policy identifies traffic using one or more class-maps

Class-maps can use an access-list to match interesting traffic

So it's up to how creative you can get with your access-list really.

Info here should be of some help

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html#wp1058664

Here's an extremely basic example to hopefully get you going that inspects only http traffic initiated from the 10.1.1.0/24 subnet

access-list MATCH_CSC extended permit ip 10.1.1.0 255.255.255.0 any eq http

class-map MATCH_CSC_CLASS

match access-list MATCH_CSC

policy-map CSC_POLICY

class MATCH_CSC_CLASS

csc fail-close

service-policy CSC_POLICY global

Hope this helps

rommel-peraza Mon, 09/17/2007 - 06:39

Hi,

Thanks for your answer, I maybe didn?t write well what I really need. I need that the all traffic passing through the ASA to be inspected by the CSC and it?s already done actually using ACL and policy maps as you say; now once the traffic is sent it to the CSC I need to "clasify" the filters based on the source Vlan or Subnet.

Example:

Sales manager from vlan 2 can see sport news on the web but a Human Resources employee(from vlan 3) only can get in the Organization web site and financial web pages.

Can it be done?

Thanks again

Correct Answer
GRAEME DANIELSON Mon, 09/17/2007 - 17:05

OK I don't believe there is that level of granular control within the CSC. The closest I think would be to exclude selected internal IP address ranges from all URL filtering i.e. they can go anywhere.

I think you need something like a Websense service which the ASA can query for it's URL filtering decisions. Not sure about it's co-existence with the CSC though.

Actions

This Discussion