ASA with new CSC module not filtering

gmgarrian · ‎08-17-2010

I've just installed a ndw CSC module and uploaded the base and plus licenses. Everything went smoothly but it's not filtering traffic. I have to throughput on the ASDM's Content Security tab.

This is my first install of this type of module. What am I missing?

Here is the config I added to ther ASA:

object-group network AllWoon-Networks
description Networks for CSC scanning
network-object 10.1.0.0 255.255.0.0
network-object 10.48.0.0 255.255.0.0
network-object 10.128.0.0 255.255.0.0
network-object 10.144.0.0 255.255.0.0
network-object 10.192.0.0 255.255.0.0
network-object 10.240.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0

access-list csc_scanned extended permit tcp object-group AllWoon-Networks any eq ftp
access-list csc_scanned extended permit tcp object-group AllWoon-Networks any eq www
access-list csc_scanned extended permit tcp object-group AllWoon-Networks any eq pop3
access-list csc_scanned extended permit tcp object-group AllWoon-Networks any eq smtp

class-map csc_outbound_class
match access-list csc_scanned

policy-map csc_scanned_policy
class csc_outbound_class
csc fail-open

service-policy csc_scanned_policy interface outside

Thanks!

lawchung · ‎08-18-2010

Do a 'show module' on the ASA to make sure the csc module in not unresponsive.

Do a 'show service-policy' on the ASA to see if the class map is getting any hits.

Try changing the acl to something like the following to see if it works.

access-list csc_list permit tcp any any eq http
access-list csc_list permit tcp any any eq ftp
access-list csc_list permit tcp any any eq smtp
access-list csc_list permit tcp any any eq pop3

Allen P Chen · ‎08-18-2010

The outputs of the following will let you know whether the module is processing traffic:

show service-policy interface outside

show access-list csc_scanned (see if there are hit counts on the ACL for the CSC-SSM)

It is also recommended to put a deny statement for the IP address of the module itself at the top of your ACL, so the module does not scan its own traffic, this is mentioned here:

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00808dea62.shtml#asad

In your case, the configuration to add would be:

access-list csc_scanned line 1 deny ip host any

Hope that helps.

mirober2 · ‎08-18-2010

In addition to the good advice above, you'll also want to verify that the module has a valid network connection. The easiest way to confirm this is to verify that the CSC can check its license status. To do that:

1. Browse to https://:8443

2. Click Administration > Product License

3. Click the 'Check Status Online' button

If the "Last Status Check" field changes to today's date, the test was successful and your network settings are probably okay. Otherwise, you'll want to confirm your module's address and DNS information and be sure it can get out to the Internet.

Hope that helps.

-Mike

gmgarrian · ‎08-19-2010

Thanks to everyone for the suggestions. I actually figured this out on my own.

Since I had the acl specify internal networks but applied the policy to the outside interface, no traffic matched since everything was being NAT'ed. I changed it so the policy was applied to the internal interface and now it's working fine.