ASA 5510 transparent Mode with CSC-SSM

Unanswered Question

I'm implementing an ASA 5510 with the CSC-SSM module. We are using the ASA just for the CSC-SSM module functionality. Our goal is to not have to make any changes to the existing addressing. is there a way for me to implement the ASA in transparent mode but still push all traffic through the CSC-SSM module. In the past I have pushed all traffic through the CSC-SSM using a class map and ACL with source and dest ip's. How can I match all traffic while in transparent mode and send it though the CSC-SSM for inspection?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smahbub Fri, 05/23/2008 - 11:03
User Badges:
  • Silver, 250 points or more

A transparent firewall, is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices. The security appliance connects the same network on its inside and outside ports. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network; it is unnecessary to readdress IP.


Refer the PIX/ASA: Transparent Firewall Configuration Example document for info on Transparent mode configuration:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml


Refer the following url for more info on configuring CSC-SSM MODULEon ASA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808dea62.shtml

vitripat Fri, 05/23/2008 - 14:13
User Badges:
  • Gold, 750 points or more

There would be no change in configuring the MPF policies for sending traffic to CSC-SSM Module.


As CSC module can only inspect traffic on TCP ports 21(FTP), 25(SMTP), 80(HTTP) and 110(POP3).


//Assuming 192.168.1.10 is CSC module IP

----------------------------------------------

access-list csc-scan line 1 extended deny tcp host 192.168.1.10 any

access-list csc-scan line 2 extended permit tcp any any eq smtp

access-list csc-scan line 3 extended permit tcp any any eq pop3

access-list csc-scan line 4 extended permit tcp any any eq http

access-list csc-scan line 5 extended permit tcp any any eq ftp


class-map csc-class

match access-list csc-scan

policy-map csc-policy

class csc-class

csc fail-open

service-policy csc-policy interface inside

----------------------------------------------


Above applies CSC inspection on all outbound traffic.


Hope that helps.


Regards,

Vibhor.

Actions

This Discussion