Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
0
Helpful
4
Replies

ASA Content Security Module (Anti-X) issue

Go to solution
rommel-peraza
Level 1
Level 1

‎09-16-2007 11:32 PM - edited ‎02-21-2020 01:41 AM

Is there a way to configure the Anti-X module such as I can filter the web content based on source VLAN or subnet? I need to implement something like that and can?t find how to do it.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GRAEME DANIELSON
Level 1
Level 1
In response to rommel-peraza

‎09-17-2007 05:05 PM

OK I don't believe there is that level of granular control within the CSC. The closest I think would be to exclude selected internal IP address ranges from all URL filtering i.e. they can go anywhere.

I think you need something like a Websense service which the ASA can query for it's URL filtering decisions. Not sure about it's co-existence with the CSC though.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
GRAEME DANIELSON
Level 1
Level 1

‎09-17-2007 02:52 AM

Traffic for CSC inspection is done using the Modular Policy Framework commands to create a service-policy

General modular policy info is here

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mpc.html

The service policy you create sends traffic to the CSC for inspection

The service policy identifies traffic using one or more class-maps

Class-maps can use an access-list to match interesting traffic

So it's up to how creative you can get with your access-list really.

Info here should be of some help

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html#wp1058664

Here's an extremely basic example to hopefully get you going that inspects only http traffic initiated from the 10.1.1.0/24 subnet

access-list MATCH_CSC extended permit ip 10.1.1.0 255.255.255.0 any eq http

class-map MATCH_CSC_CLASS

match access-list MATCH_CSC

policy-map CSC_POLICY

class MATCH_CSC_CLASS

csc fail-close

service-policy CSC_POLICY global

Hope this helps

0 Helpful

Go to solution
rommel-peraza
Level 1
Level 1
In response to GRAEME DANIELSON

‎09-17-2007 06:39 AM

Hi,

Thanks for your answer, I maybe didn?t write well what I really need. I need that the all traffic passing through the ASA to be inspected by the CSC and it?s already done actually using ACL and policy maps as you say; now once the traffic is sent it to the CSC I need to "clasify" the filters based on the source Vlan or Subnet.

Example:

Sales manager from vlan 2 can see sport news on the web but a Human Resources employee(from vlan 3) only can get in the Organization web site and financial web pages.

Can it be done?

Thanks again

0 Helpful

Go to solution
GRAEME DANIELSON
Level 1
Level 1
In response to rommel-peraza

‎09-17-2007 05:05 PM

OK I don't believe there is that level of granular control within the CSC. The closest I think would be to exclude selected internal IP address ranges from all URL filtering i.e. they can go anywhere.

I think you need something like a Websense service which the ASA can query for it's URL filtering decisions. Not sure about it's co-existence with the CSC though.

0 Helpful

Go to solution
rommel-peraza
Level 1
Level 1
In response to GRAEME DANIELSON

‎09-17-2007 10:58 PM

Thank you very much for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card