Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

ASA CSC Module Doubt

Hi everybody, I have a question for the CSC experts,

I want to know if the CSC Module with Trend Micro software will help me to allow my client's users to navigate only from 12h00 to 13h00,

I know I could configure that and that it works, but I'll explain myself a little bit, so you could help me with my doubt.

1.- As far as I know if I use a Time ACL with the ASA i could deny users to navigate (http) in a period of time, but I could not deny the users that has establish a session before, this only works with users that want to establish a new session between the period of time configure. (I have read several documents that explain that).

2.- I know that with a proxy server each connection is treated as a new session, so the CSC (that works like a proxy server) should work like this.

3.- So the problem that happens with the ASA time acl (explain in #1) doesn't happens with the CSC, is this true?. If a user that has been navigating in the hours permitted by the network administrator continues navigating in the hours not permitted he'll get a denied message or i must as the asa clear all the connections?. so when the new connection is established with the CSC the user will get http denied.

hope I explain myself and someone could clarify me this.

My client doesn't have the ASA CSC Module, I'am asking this because I need to offer him a solution.

thanks in advance.

Juan Pablo

Cisco Employee

Re: ASA CSC Module Doubt

Hi Juan Pablo,

Yes, you can configure this behavior with the CSC module. To do this, you can configure all hours as "Work Hours", except for 1200 to 1300, which would be defined as "Leisure Hours". Then, you can configure the URL filtering function to filter all sites during Work Hours, but allow sites to be unfiltered during your Leisure Hours.

Here is a document that describes this:

Hope that helps.

Cisco Employee

Re: ASA CSC Module Doubt

Time based ACLs on the ASA will also solve your problem. You are right to say that existing connection will still go through, but HTTP connections don't stay. After the page is up they are torn down. So new pages will initiate new connections and thus be subject to the time based ACL.

Still, the CSC will also solve your issue. In the module you can set Leisure and Work hors and allow HTTP pages during each period. So I would block all pages (star in the URL field) during the Work hours and allow during the leisure.

I hope it helps.


CreatePlease to create content