Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Content Security Module (Anti-X) issue

Is there a way to configure the Anti-X module such as I can filter the web content based on source VLAN or subnet? I need to implement something like that and can?t find how to do it.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: ASA Content Security Module (Anti-X) issue

OK I don't believe there is that level of granular control within the CSC. The closest I think would be to exclude selected internal IP address ranges from all URL filtering i.e. they can go anywhere.

I think you need something like a Websense service which the ASA can query for it's URL filtering decisions. Not sure about it's co-existence with the CSC though.

4 REPLIES
New Member

Re: ASA Content Security Module (Anti-X) issue

Traffic for CSC inspection is done using the Modular Policy Framework commands to create a service-policy

General modular policy info is here

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mpc.html

The service policy you create sends traffic to the CSC for inspection

The service policy identifies traffic using one or more class-maps

Class-maps can use an access-list to match interesting traffic

So it's up to how creative you can get with your access-list really.

Info here should be of some help

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html#wp1058664

Here's an extremely basic example to hopefully get you going that inspects only http traffic initiated from the 10.1.1.0/24 subnet

access-list MATCH_CSC extended permit ip 10.1.1.0 255.255.255.0 any eq http

class-map MATCH_CSC_CLASS

match access-list MATCH_CSC

policy-map CSC_POLICY

class MATCH_CSC_CLASS

csc fail-close

service-policy CSC_POLICY global

Hope this helps

New Member

Re: ASA Content Security Module (Anti-X) issue

Hi,

Thanks for your answer, I maybe didn?t write well what I really need. I need that the all traffic passing through the ASA to be inspected by the CSC and it?s already done actually using ACL and policy maps as you say; now once the traffic is sent it to the CSC I need to "clasify" the filters based on the source Vlan or Subnet.

Example:

Sales manager from vlan 2 can see sport news on the web but a Human Resources employee(from vlan 3) only can get in the Organization web site and financial web pages.

Can it be done?

Thanks again

New Member

Re: ASA Content Security Module (Anti-X) issue

OK I don't believe there is that level of granular control within the CSC. The closest I think would be to exclude selected internal IP address ranges from all URL filtering i.e. they can go anywhere.

I think you need something like a Websense service which the ASA can query for it's URL filtering decisions. Not sure about it's co-existence with the CSC though.

New Member

Re: ASA Content Security Module (Anti-X) issue

Thank you very much for your help.

147
Views
0
Helpful
4
Replies
CreatePlease login to create content