09-16-2007 11:32 PM - edited 02-21-2020 01:41 AM
Is there a way to configure the Anti-X module such as I can filter the web content based on source VLAN or subnet? I need to implement something like that and can?t find how to do it.
Solved! Go to Solution.
09-17-2007 05:05 PM
OK I don't believe there is that level of granular control within the CSC. The closest I think would be to exclude selected internal IP address ranges from all URL filtering i.e. they can go anywhere.
I think you need something like a Websense service which the ASA can query for it's URL filtering decisions. Not sure about it's co-existence with the CSC though.
09-17-2007 02:52 AM
Traffic for CSC inspection is done using the Modular Policy Framework commands to create a service-policy
General modular policy info is here
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mpc.html
The service policy you create sends traffic to the CSC for inspection
The service policy identifies traffic using one or more class-maps
Class-maps can use an access-list to match interesting traffic
So it's up to how creative you can get with your access-list really.
Info here should be of some help
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html#wp1058664
Here's an extremely basic example to hopefully get you going that inspects only http traffic initiated from the 10.1.1.0/24 subnet
access-list MATCH_CSC extended permit ip 10.1.1.0 255.255.255.0 any eq http
class-map MATCH_CSC_CLASS
match access-list MATCH_CSC
policy-map CSC_POLICY
class MATCH_CSC_CLASS
csc fail-close
service-policy CSC_POLICY global
Hope this helps
09-17-2007 06:39 AM
Hi,
Thanks for your answer, I maybe didn?t write well what I really need. I need that the all traffic passing through the ASA to be inspected by the CSC and it?s already done actually using ACL and policy maps as you say; now once the traffic is sent it to the CSC I need to "clasify" the filters based on the source Vlan or Subnet.
Example:
Sales manager from vlan 2 can see sport news on the web but a Human Resources employee(from vlan 3) only can get in the Organization web site and financial web pages.
Can it be done?
Thanks again
09-17-2007 05:05 PM
OK I don't believe there is that level of granular control within the CSC. The closest I think would be to exclude selected internal IP address ranges from all URL filtering i.e. they can go anywhere.
I think you need something like a Websense service which the ASA can query for it's URL filtering decisions. Not sure about it's co-existence with the CSC though.
09-17-2007 10:58 PM
Thank you very much for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: