Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
14047
Views
10
Helpful
0
Comments

CSC initial configuration

Panos Kampanakis
Cisco Employee
Cisco Employee

‎07-02-2009 03:40 AM - edited ‎03-08-2019 06:28 PM

 

Introduction

This article aims to educate the user on how to initially set up the CSC-SSM  module in his ASA using CLI. After reading this article carefully one  should be able to go through the initial set up and in the end have a functional  SSM module. ASDM can also be used for that purpose too as presented here.

 

Initial set up

The CSC-SSM is a module is a module that will be inserted in the slot on the  front of an an ASA 5510, 5520, 5540, 5550. The first time that the module is  inserted in the slot of the ASA the ASA has to be shut down and rebooted. After  this first reload, the CSC is considered hot-swappable.
After being inserted  in the slot the CSC has to be provided with network access. The user has to use  the module's external Ethernet port to give the module access to the internet.  The module is recommended to be treated like a host in the inside network. It  has to be part of the LAN and have internet connectivity to be able to pull  pattern updates and communicate with Trend servers. After the Ethernet cable of  the CSC is plugged in, the port's network settings (ip addresses etc) will be  set up in the section that follows.

 

Configuring the CSC-SSM

The initial network and license set up on the CSC, can be done from the ASA  using the command "session 1". The default username and password to log in the  CSC are both cisco. This will take the user through a number of interactive  steps do the configuration. These will include

 

  • new password
  • ip address of the module
  • hostname of the CSC (it can be anything)
  • domain name
  • network mask
  • dns servers
  • default gateway
  • domain of emails to be scanned
  • administrator's email address
  • smtp server ip address
  • base license code
  • plus license code

 

The steps will look something like the following (note that all the settings  use random addresses and license codes).

 

 

CSC-ASA# sess 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.

login: cisco
Password: 

The password has expired.

You are required to change your password immediately 

Changing password for cisco 

(current) password: 

New password: 

Retype new password: 


      Trend Micro InterScan for Cisco CSC SSM Setup Wizard 

---------------------------------------------------------------------



To set up the SSM, the wizard prompts for the following information: 

    1. Network settings

    2. Date/time settings verification

    3. Incoming email domain name

    4. Notification settings

    5. Activation Codes

The Base License is required to activate the SSM.       

Press Control-C to abort the wizard.



Press Enter to continue ... 


                        Network Settings 

---------------------------------------------------------------------



Enter the SSM card IP address: 172.18.124.237

Enter subnet mask: 255.255.255.0

Enter host name: my-csc-ssm

Enter domain name: cisco.com

Enter primary DNS IP address: 172.18.108.43

Enter optional secondary DNS IP address: 

Enter gateway IP address: 172.18.124.1

Do you use a proxy server? [y|n] n


                        Network Settings 

---------------------------------------------------------------------



IP             172.18.124.237

Netmask        255.255.255.0

Hostname       my-csc-ssm

Domain name    cisco.com

Primary DNS    172.18.108.43

Gateway        172.18.124.1

No Proxy

Are these settings correct? [y|n] y

Applying network settings ... 

Do you want to confirm the network settings using ping? [y|n] n


                       Date/Time Settings 

---------------------------------------------------------------------

SSM card date and time: 11/21/2008 19:16:32

The SSM card periodically synchronizes with the chassis. 

Is the time correct? [y|n] y



                      Incoming Domain Name 

---------------------------------------------------------------------

Enter the domain name that identifies incoming email messages: (default:cisco.com) 

Domain name of incoming email: cisco.com 

Is the incoming domain correct? [y|n] y


              Administrator/Notification Settings 

---------------------------------------------------------------------

Administrator email address: admin-4-csc@cisco.com, 

Notification email server IP: 172.18.108.45

Notification email server port: (default:25) 


              Administrator/Notification Settings 

---------------------------------------------------------------------

Administrator email address: admin-4-csc@cisco.com 

Notification email server IP: 172.18.108.45 

Notification email server port: 25 

Are the notification settings correct? [y|n] y


                           Activation 

---------------------------------------------------------------------

You must activate your Base License, which enables you to update 

your virus pattern file. You may also activate your Plus License. 

Activation Code example: BV-43CZ-8TYY9-D4VNM-82We9-L7722-WPX41 

Enter your Base License Activation Code: PX-DUMM-DUMMY-DUMMY-DUMMY-DUMMY-DUMMY

Base License activation is successful. 

(Press Enter to skip activating your Plus License.) 

Enter your Plus License Activation Code: PX-DUMM-DUMMY-DUMMY-DUMMY-DUMMY-DUMMY

Plus License activation is successful. 


                        Activation Status 

---------------------------------------------------------------------

Your Base License is activated. 

Your Plus License is activated. 

Stopping services: OK

Starting services: OK

The Setup Wizard is finished. 

Please use your Web browser to connect to the management console at: 

https://172.18.124.237:8443 

Press Enter to exit ... 

Remote card closed command session. Press any key to continue.
Command session with slot 1 terminated.

Then by browsing to https://172.18.124.237:8443 the user can have access to the CSC  graphical user interface to configure the module.

 

 

Configuring the ASA for the CSC-SSM

Now, what is left is to have the ASA forward traffic through the CSC-SSM  module for the security inspections to take place. We will use an access list  (ACL) to identify the traffic (HTTP, SMTP, POP3, FTP) to be sent to the module.  We will exclude the module's own traffic from being inspected in the ACL, for  performance purposes (it is unnecessary for the traffic generated by the module  to be inspected). The ACL will be used in a class-map to match traffic and the  class-map in turn will be used in a policy-map. In our example the action for  the class in the policy-map will be "csc fail-open" which means that in case the  CSC fails all traffic that should be inspected will be passed uninspected. The  corresponding "csc fail-close" will drop all traffic to the CSC in case the CSC  fails. Finally a service-policy will apply the policy-map for all the  inspections to take place. The above configuration would be like the following  (the CSC ip address will be as 172.18.124.237 in the previous section):

 

access-list csc-acl extended deny ip host 172.18.124.237 any 
access-list csc-acl extended permit tcp any any eq www 
access-list csc-acl extended permit tcp any any eq smtp 
access-list csc-acl extended permit tcp any any eq pop3 
access-list csc-acl extended permit tcp any any eq ftp 

class-map csc-class
 match access-list csc-acl

policy-map global_policy
 class csc-class
  csc fail-open

service-policy global_policy global

 

 

Verification

To verify that the settings are applied and the CSC is functional the user  can run a few commands on the ASA. "show module 1 detail" will show the status  of the module

 

CSC-ASA# sh modu 1 det
Getting details from the Service Module, please wait...
ASA 5500 Series Content Security Services Module-10
Model:              ASA-SSM-CSC-10
Hardware version:   1.0
Serial Number:      JADUMMYDUMM
Firmware version:   1.0(10)0
Software version:   CSC SSM 6.2.1599.0
MAC Address Range:  dumm.dumm.dumm to dumm.dumm.dumm
App. name:          CSC SSM
App. Status:        Up
App. Status Desc:   CSC SSM scan services are available
App. version:       6.2.1599.0
Data plane Status:  Up
Status:             Up
HTTP Service:       Up
Mail Service:       Up
FTP  Service:       Up
Activated:          Yes
Mgmt IP addr:       172.18.124.237
Mgmt web port:      8443
Peer IP addr:       <not enabled>

And while passing traffic (web,smtp,pop3,ftp) "sh conn | i X" will show the  active connections that are being inspected by the CSC.

 

CSC-ASA# sh conn | include X
TCP out 10.0.1.2:18610 in 10.0.0.3:25 idle 0:52:28 bytes 988 flags UfIOXB
TCP out 10.0.58.16:80 in 10.0.0.238:55393 idle 0:00:00 bytes 2578 flags UIOX
TCP out 10.23.6.4:80 in 10.0.0.238:55391 idle 0:00:00 bytes 4310 flags UIOX
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents