08-17-2010 01:35 PM - edited 03-11-2019 11:27 AM
I've just installed a ndw CSC module and uploaded the base and plus licenses. Everything went smoothly but it's not filtering traffic. I have to throughput on the ASDM's Content Security tab.
This is my first install of this type of module. What am I missing?
Here is the config I added to ther ASA:
object-group network AllWoon-Networks
description Networks for CSC scanning
network-object 10.1.0.0 255.255.0.0
network-object 10.48.0.0 255.255.0.0
network-object 10.128.0.0 255.255.0.0
network-object 10.144.0.0 255.255.0.0
network-object 10.192.0.0 255.255.0.0
network-object 10.240.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0
access-list csc_scanned extended permit tcp object-group AllWoon-Networks any eq ftp
access-list csc_scanned extended permit tcp object-group AllWoon-Networks any eq www
access-list csc_scanned extended permit tcp object-group AllWoon-Networks any eq pop3
access-list csc_scanned extended permit tcp object-group AllWoon-Networks any eq smtp
class-map csc_outbound_class
match access-list csc_scanned
policy-map csc_scanned_policy
class csc_outbound_class
csc fail-open
service-policy csc_scanned_policy interface outside
Thanks!
08-18-2010 12:32 PM
Do a 'show module' on the ASA to make sure the csc module in not unresponsive.
Do a 'show service-policy' on the ASA to see if the class map is getting any hits.
Try changing the acl to something like the following to see if it works.
access-list csc_list permit tcp any any eq http access-list csc_list permit tcp any any eq ftp access-list csc_list permit tcp any any eq smtp access-list csc_list permit tcp any any eq pop3
08-18-2010 04:26 PM
The outputs of the following will let you know whether the module is processing traffic:
show service-policy interface outside
show access-list csc_scanned (see if there are hit counts on the ACL for the CSC-SSM)
It is also recommended to put a deny statement for the IP address of the module itself at the top of your ACL, so the module does not scan its own traffic, this is mentioned here:
In your case, the configuration to add would be:
access-list csc_scanned line 1 deny ip host
Hope that helps.
08-18-2010 06:40 PM
In addition to the good advice above, you'll also want to verify that the module has a valid network connection. The easiest way to confirm this is to verify that the CSC can check its license status. To do that:
1. Browse to https://
2. Click Administration > Product License
3. Click the 'Check Status Online' button
If the "Last Status Check" field changes to today's date, the test was successful and your network settings are probably okay. Otherwise, you'll want to confirm your module's address and DNS information and be sure it can get out to the Internet.
Hope that helps.
-Mike
08-19-2010 06:42 AM
Thanks to everyone for the suggestions. I actually figured this out on my own.
Since I had the acl specify internal networks but applied the policy to the outside interface, no traffic matched since everything was being NAT'ed. I changed it so the policy was applied to the internal interface and now it's working fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide