Divert the traffic to CSC in ASA

CSCO10320953 · ‎01-17-2009

Hi All,

When i try to divert the traffic(http,ftp) to CSC from ASA inside interface ,internet is not working.What would be the Problem?

victor_87 · ‎01-17-2009

i Suspect URL filtering is enabled on your CSC Module, Internet does work with URL(content) filtering but is slowed down drastically.

Are you sure you are doing the diversion the right way???

1.An access-list catching interesting traffic http and ftp. (keep in mind that max limitation of CSC is only 500 users).

2.Class-map matching the above mentioned access-list.

3. including the class-map in the global policy.(better select the fail-open option when including in the policy)

USe ASDM to monitor the CSC when the traffic is diverted. may be you selected fail-close and the CSC is choked.

Posting how you are diverting the traffic onto the CSC etc configuration could give us a better idea.

Rate if helpful.

CSCO10320953 · ‎01-17-2009

Hi,

i Suspect URL filtering is enabled on your CSC Module, Internet does work with URL(content) filtering but is slowed down drastically.

Yes.Customer wants to do it .

Are you sure you are doing the diversion the right way???

Yes.

1.An access-list catching interesting traffic http and ftp. (keep in mind that max limitation of CSC is only 500 users).

we have 1000 user license.

2.Class-map matching the above mentioned access-list.

Yes.Pl find the Configuration.

3. including the class-map in the global policy.(better select the fail-open option when including in the policy)

Fail-open done.

including the class-map in the global policy,Can u confirm ,this is done or not in the my config.

Network Setup :

1.Internet Router-outside-ASA+CSC--Inside ---IPS-- Switch(total Vlan 10)---

If I remove CSC module ,there is problem in the Internet.

2.ASA inside to Outside NAting is done .

3.One more nating is in router for internet because we have only Wan ip.

4.We got 1000 user license

PL find the configuration

class-map csc_outbound_class

match access-list csc_out

policy-map csc_out_policy

class csc_outbound_class

csc fail-open

access-list csc_out permit tcp any any eq 21

access-list csc_out permit tcp any any eq 80

access-list csc_out permit tcp any any eq 110

service-policy csc_out_policy interface Inside

Thanks.

victor_87 · ‎01-17-2009

Everything seems to be correct as per the configuration, u do not need to apply it globally as u are applying it on the inside interface.

But this command "service-policy csc_out_policy interface Inside " catches only the traffic that is going towards the internet. I think (still thinking) your content filtering wont work in this case.

All this put aside ur internet must be

working.

I suggest you disable the url filtering once and check whether that is causing the problem. If that is the problem we'll try to resolve it.

CSCO10320953 · ‎01-19-2009

HI ,

Reconfiguration done. The traffic has been routed for particular Host even for Single host ,internet is very slow.

victor_87 · ‎01-19-2009

I thought you said the internet is not working at all.

But you are now saying it's slow.

It definitely would be slow as URL or content filtering is enabled. In this case the whole content of the page is scanned and thus is obvious to be slow.

The remedy here is only to diable url filtering and USE URL blocking instead to block website names that have a certain key word that you want to block.

The URL blocking feature works very well.

cheers.