cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
487
Views
0
Helpful
4
Replies

ASA Content Security Module (Anti-X) issue

rommel-peraza
Level 1
Level 1

Is there a way to configure the Anti-X module such as I can filter the web content based on source VLAN or subnet? I need to implement something like that and can?t find how to do it.

1 Accepted Solution

Accepted Solutions

OK I don't believe there is that level of granular control within the CSC. The closest I think would be to exclude selected internal IP address ranges from all URL filtering i.e. they can go anywhere.

I think you need something like a Websense service which the ASA can query for it's URL filtering decisions. Not sure about it's co-existence with the CSC though.

View solution in original post

4 Replies 4

Traffic for CSC inspection is done using the Modular Policy Framework commands to create a service-policy

General modular policy info is here

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mpc.html

The service policy you create sends traffic to the CSC for inspection

The service policy identifies traffic using one or more class-maps

Class-maps can use an access-list to match interesting traffic

So it's up to how creative you can get with your access-list really.

Info here should be of some help

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html#wp1058664

Here's an extremely basic example to hopefully get you going that inspects only http traffic initiated from the 10.1.1.0/24 subnet

access-list MATCH_CSC extended permit ip 10.1.1.0 255.255.255.0 any eq http

class-map MATCH_CSC_CLASS

match access-list MATCH_CSC

policy-map CSC_POLICY

class MATCH_CSC_CLASS

csc fail-close

service-policy CSC_POLICY global

Hope this helps

Hi,

Thanks for your answer, I maybe didn?t write well what I really need. I need that the all traffic passing through the ASA to be inspected by the CSC and it?s already done actually using ACL and policy maps as you say; now once the traffic is sent it to the CSC I need to "clasify" the filters based on the source Vlan or Subnet.

Example:

Sales manager from vlan 2 can see sport news on the web but a Human Resources employee(from vlan 3) only can get in the Organization web site and financial web pages.

Can it be done?

Thanks again

OK I don't believe there is that level of granular control within the CSC. The closest I think would be to exclude selected internal IP address ranges from all URL filtering i.e. they can go anywhere.

I think you need something like a Websense service which the ASA can query for it's URL filtering decisions. Not sure about it's co-existence with the CSC though.

Thank you very much for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: