Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ASA 5510 transparent Mode with CSC-SSM

I'm implementing an ASA 5510 with the CSC-SSM module. We are using the ASA just for the CSC-SSM module functionality. Our goal is to not have to make any changes to the existing addressing. is there a way for me to implement the ASA in transparent mode but still push all traffic through the CSC-SSM module. In the past I have pushed all traffic through the CSC-SSM using a class map and ACL with source and dest ip's. How can I match all traffic while in transparent mode and send it though the CSC-SSM for inspection?

2 REPLIES
Silver

Re: ASA 5510 transparent Mode with CSC-SSM

A transparent firewall, is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices. The security appliance connects the same network on its inside and outside ports. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network; it is unnecessary to readdress IP.

Refer the PIX/ASA: Transparent Firewall Configuration Example document for info on Transparent mode configuration:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

Refer the following url for more info on configuring CSC-SSM MODULEon ASA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808dea62.shtml

Silver

Re: ASA 5510 transparent Mode with CSC-SSM

There would be no change in configuring the MPF policies for sending traffic to CSC-SSM Module.

As CSC module can only inspect traffic on TCP ports 21(FTP), 25(SMTP), 80(HTTP) and 110(POP3).

//Assuming 192.168.1.10 is CSC module IP

----------------------------------------------

access-list csc-scan line 1 extended deny tcp host 192.168.1.10 any

access-list csc-scan line 2 extended permit tcp any any eq smtp

access-list csc-scan line 3 extended permit tcp any any eq pop3

access-list csc-scan line 4 extended permit tcp any any eq http

access-list csc-scan line 5 extended permit tcp any any eq ftp

class-map csc-class

match access-list csc-scan

policy-map csc-policy

class csc-class

csc fail-open

service-policy csc-policy interface inside

----------------------------------------------

Above applies CSC inspection on all outbound traffic.

Hope that helps.

Regards,

Vibhor.

768
Views
0
Helpful
2
Replies
CreatePlease to create content