ASA with new CSC module not filtering

Unanswered Question
Aug 17th, 2010
User Badges:

I've just installed a ndw CSC module and uploaded the base and plus licenses.  Everything went smoothly but it's not filtering traffic.  I have to throughput on the ASDM's Content Security tab.


This is my first install of this type of module.  What am I missing?


Here is the config I added to ther ASA:


object-group network AllWoon-Networks
description Networks for CSC scanning
network-object 10.1.0.0 255.255.0.0
network-object 10.48.0.0 255.255.0.0
network-object 10.128.0.0 255.255.0.0
network-object 10.144.0.0 255.255.0.0
network-object 10.192.0.0 255.255.0.0
network-object 10.240.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0


access-list csc_scanned extended permit tcp object-group AllWoon-Networks any eq ftp
access-list csc_scanned extended permit tcp object-group AllWoon-Networks any eq www
access-list csc_scanned extended permit tcp object-group AllWoon-Networks any eq pop3
access-list csc_scanned extended permit tcp object-group AllWoon-Networks any eq smtp


class-map csc_outbound_class
match access-list csc_scanned


policy-map csc_scanned_policy
class csc_outbound_class
csc fail-open


service-policy csc_scanned_policy interface outside


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lawchung Wed, 08/18/2010 - 12:32
User Badges:
  • Cisco Employee,

Do a 'show module' on the ASA to make sure the csc module in not unresponsive.


Do a 'show service-policy' on the ASA to see if the class map is getting any hits.


Try changing the acl to something like the following to see if it works.



access-list csc_list permit tcp any any eq http
access-list csc_list permit tcp any any eq ftp
access-list csc_list permit tcp any any eq smtp
access-list csc_list permit tcp any any eq pop3


Allen P Chen Wed, 08/18/2010 - 16:26
User Badges:
  • Cisco Employee,

The outputs of the following will let you know whether the module is processing traffic:


show service-policy interface outside

show access-list csc_scanned (see if there are hit counts on the ACL for the CSC-SSM)


It is also recommended to put a deny statement for the IP address of the module itself at the top of your ACL, so the module does not scan its own traffic, this is mentioned here:


http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00808dea62.shtml#asad


In your case, the configuration to add would be:


access-list csc_scanned line 1 deny ip host any


Hope that helps.

mirober2 Wed, 08/18/2010 - 18:40
User Badges:
  • Cisco Employee,

In addition to the good advice above, you'll also want to verify that the module has a valid network connection. The easiest way to confirm this is to verify that the CSC can check its license status. To do that:


1. Browse to https://:8443

2. Click Administration > Product License

3. Click the 'Check Status Online' button


If the "Last Status Check" field changes to today's date, the test was successful and your network settings are probably okay. Otherwise, you'll want to confirm your module's address and DNS information and be sure it can get out to the Internet.


Hope that helps.


-Mike

gmgarrian Thu, 08/19/2010 - 06:42
User Badges:

Thanks to everyone for the suggestions.  I actually figured this out on my own.


Since I had the acl specify internal networks but applied the policy to the outside interface, no traffic matched since everything was being NAT'ed.  I changed it so the policy was applied to the internal interface and now it's working fine.

Actions

This Discussion