Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
554
Views
0
Helpful
4
Replies

Content Security Module for ASA - SSM-CSC

Go to solution
blackswans
Level 1
Level 1

‎09-08-2008 10:15 PM - edited ‎02-21-2020 03:00 AM

Hi,

Is it possible with that module to filter some of the users filtered (like restricting facebook.com) and others unfiltered? I mean if user based filtering is possible?

thx

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
suschoud
Cisco Employee
Cisco Employee

‎09-09-2008 09:47 AM

In asa,you define what traffic should be sent to csc for scanning purpose.

In the acl where you define the traffic,add an entry denying the source ip addresses for which you do not want filtering to be done.

class-map CSC-C

match access-list CSC-TRAFFIC

policy-map global_policy

class CSC-C

csc fail-open

access-list CSC-TRAFFIC line 1 extended deny tcp host x.x.x.x any eq 80

access-list CSC-TRAFFIC line 2 extended permit tcp any any eq 80

access-list CSC-TRAFFIC line 3 extended permit tcp any any eq smtp

In the above example,web traffic from x.x.x.x will not be sent to csc...

HTH

Sushil

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-09-2008 03:57 AM

it is possible based on source IP address not user name

if helpful Rate

0 Helpful

Go to solution
edunn
Level 1
Level 1
In response to Marwan ALshawi

‎09-09-2008 05:55 AM

You will need some type of URL filtering software like WebSense to filter based on user.....

0 Helpful

Go to solution
suschoud
Cisco Employee
Cisco Employee

‎09-09-2008 09:47 AM

In asa,you define what traffic should be sent to csc for scanning purpose.

In the acl where you define the traffic,add an entry denying the source ip addresses for which you do not want filtering to be done.

class-map CSC-C

match access-list CSC-TRAFFIC

policy-map global_policy

class CSC-C

csc fail-open

access-list CSC-TRAFFIC line 1 extended deny tcp host x.x.x.x any eq 80

access-list CSC-TRAFFIC line 2 extended permit tcp any any eq 80

access-list CSC-TRAFFIC line 3 extended permit tcp any any eq smtp

In the above example,web traffic from x.x.x.x will not be sent to csc...

HTH

Sushil

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-09-2008 08:17 PM

i think u were asking about how to filter some websites based on users so i told u

that u can do it through source IP not username

however u seem u were looking how to send spisific traffic to CSC

then this link will give all these details in that regard

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808dea62.shtml

good luck

if helpful Rate

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card