09-16-2007 11:32 PM - edited 02-21-2020 01:41 AM
Is there a way to configure the Anti-X module such as I can filter the web content based on source VLAN or subnet? I need to implement something like that and can?t find how to do it.
Solved! Go to Solution.
09-17-2007 05:05 PM
OK I don't believe there is that level of granular control within the CSC. The closest I think would be to exclude selected internal IP address ranges from all URL filtering i.e. they can go anywhere.
I think you need something like a Websense service which the ASA can query for it's URL filtering decisions. Not sure about it's co-existence with the CSC though.
09-17-2007 02:52 AM
Traffic for CSC inspection is done using the Modular Policy Framework commands to create a service-policy
General modular policy info is here
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mpc.html
The service policy you create sends traffic to the CSC for inspection
The service policy identifies traffic using one or more class-maps
Class-maps can use an access-list to match interesting traffic
So it's up to how creative you can get with your access-list really.
Info here should be of some help
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html#wp1058664
Here's an extremely basic example to hopefully get you going that inspects only http traffic initiated from the 10.1.1.0/24 subnet
access-list MATCH_CSC extended permit ip 10.1.1.0 255.255.255.0 any eq http
class-map MATCH_CSC_CLASS
match access-list MATCH_CSC
policy-map CSC_POLICY
class MATCH_CSC_CLASS
csc fail-close
service-policy CSC_POLICY global
Hope this helps
09-17-2007 06:39 AM
Hi,
Thanks for your answer, I maybe didn?t write well what I really need. I need that the all traffic passing through the ASA to be inspected by the CSC and it?s already done actually using ACL and policy maps as you say; now once the traffic is sent it to the CSC I need to "clasify" the filters based on the source Vlan or Subnet.
Example:
Sales manager from vlan 2 can see sport news on the web but a Human Resources employee(from vlan 3) only can get in the Organization web site and financial web pages.
Can it be done?
Thanks again
09-17-2007 05:05 PM
OK I don't believe there is that level of granular control within the CSC. The closest I think would be to exclude selected internal IP address ranges from all URL filtering i.e. they can go anywhere.
I think you need something like a Websense service which the ASA can query for it's URL filtering decisions. Not sure about it's co-existence with the CSC though.
09-17-2007 10:58 PM
Thank you very much for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide