Class-map for CSC ignores

Unanswered Question
Jul 18th, 2008

I have an application that is getting blocked by the Trend Micro CSC under the http class map. I need it to ignore http traffic from a, and allow all else. I haven't worked with class maps much, but my thinking is an ACL with the IP subnet, and a match statement under the class map, but where I have the question is, will the ACL be

permit ip any

deny ip any any

or the other way around?

deny ip any

permit ip any any

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Fri, 07/18/2008 - 07:51

with class-maps

permit ACL mean match

deny mean ignore

in ur case

deny traffic from the to any

then permit any

good luck

and rate if helpful

tahequivoice Fri, 07/18/2008 - 08:17

OK I think I got it, havent applied it yet.

access-list CSC-Ignore extended deny tcp eq www

access-list CSC-Ignore extended permit tcp any any eq www


class-map http

match access-list CSC-Ignore

Marwan ALshawi Fri, 07/18/2008 - 19:51

thats right

but upong the ACL u have writen above u will ignore web traffic from to

and will match any other web traffic

but nothing else

i mean no smtp,pop3 or ftp

if u want to match any thing else after the deny or ignore statement

u have to make permit ip any any

after u match it with class-map

apply it to a policy map

like polic-map global_policy (which is the default global policy)

class-map (ur calss-map name)

csc fail-open


service-policy global_policy global

in this case it will be applied to all interfaces

good luck

Rate if helpful


This Discussion