Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

CSC-SSM File Blocking Scenario

Got a scenario where when a I divert Http Traffic to CSC-SSM, Invalid URL error

Is encountered.  Attached is the network diagram. Users from branch network gets their

Internet connection via the squid proxy of the main branch. The main branch is connected to the branch network via VPN. What we want to accomplish is block audio file using CSC-SSM. Audio/Video File was already selected under

File Blocking(Trend Micro Interscan). But mp3 files can still be downloaded. Upon checking the config,

I noticed that SMTP was the only traffic diverted to the CSC-SSM. So I added

Http Traffic. Below is the config for reference.

access-list outside_mpc_in extended permit tcp any any eq smtp

access-list outside_mpc_in extended permit tcp any any eq http

class-map SMTP

match access-list outside_mpc_in

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

policy-map outside-policy

class SMTP

  csc fail-open

!

service-policy global_policy global

service-policy outside-policy interface outside

But upon doing this, all http traffic was blocked. Invalid URL error

Was encountered. If the access-list for http traffic is removed, then

All internet connections are restored but audio file is not blocked.

So it seems that when Http traffic is diverted to CSC-SSM, some

Packet modification takes place that prevents the proxy from

Seing http traffic. Am I Missing something on the configuration?

Here is the error message from the proxy.

The Following Error was encountered

·        Invalid URL

Some Aspect of the requested URL is incorrect. Posible problems:

·        Missing or incorrect access protocol(should be http:// or similar)

·        Missing Hostname

·        Illegal double-escape in the URL-Path

Illegal character in hostname; underscores are not allowed

3 REPLIES
Cisco Employee

Re: CSC-SSM File Blocking Scenario

Hi,

How does the internet traffic go out from CSC module? The CSC-SSM module will use a Squid proxy to reach the Internet or it has a directly connection ?

I'm asking you this, because there are some proxy settings that can be configured depending on your network topology.

Br,

Community Member

Re: CSC-SSM File Blocking Scenario

Hi,

Thanks for the reply. CSC-SSM internet traffic goes through the squid proxy.

Cisco Employee

Re: CSC-SSM File Blocking Scenario

Hi, thanks for your update, so configure the CSC to divert the traffic to the Squid.

Br,

260
Views
0
Helpful
3
Replies
CreatePlease to create content