Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA Content Security

Hay there,

I setup a ASA FW with Trend Micro Content Security. When I add an URL to the block list I can still open it from the PCs which use the ASA as the gateway?! What did I forget?

Lars

2 REPLIES
Bronze

Re: ASA Content Security

The access list configured for URL coookies is not working.

The URL filtering features presented in this chapter allow the Content Engine to control client access to websites in any of the following ways:

Deny access to URLs specified in a list.

Permit access only to URLs specified in a list.

Direct traffic to a N2H2 server for filtering.

Direct traffic to a Websense enterprise server for filtering

http://www.cisco.com/en/US/products/sw/conntsw/ps491/products_configuration_guide_chapter09186a008008123b.html#98891

New Member

Re: ASA Content Security

CSC-SSM modules use service policies to redirect traffic to the module for processing.

Here is an example of what I do...

The inside_mpc is matching only inside traffic destined for web, ftp, pop3 and smtp.

The outside_mpc is matching traffic going to the internal servers (using the outside public addresses) matching pop3 and smtp.

Then, I build inside and outside classes matching traffic off of the ACL and sending it to the CSC module with the csc fail-open or csc fail-close command.

I hope this helps.

--Gavin Budd

access-list inside_mpc extended permit tcp 10.0.0.0 255.0.0.0 any eq pop3

access-list inside_mpc extended permit tcp 10.0.0.0 255.0.0.0 any eq www

access-list inside_mpc extended permit tcp 10.0.0.0 255.0.0.0 any eq ftp

access-list inside_mpc extended permit tcp 10.0.0.0 255.0.0.0 any eq https

access-list inside_mpc extended permit tcp 10.0.0.0 255.0.0.0 any eq smtp

access-list outside_mpc extended permit tcp any x.x.25.0 255.255.255.0 eq pop3

access-list outside_mpc extended permit tcp any x.x.25.0 255.255.255.0 eq smtp

!

!

class-map inside-class

match access-list inside_mpc

class-map outside-class

match access-list outside_mpc

!

!

policy-map outside-policy

class outside-class

csc fail-open

policy-map inside-policy

class inside-class

csc fail-open

!

service-policy outside-policy interface outside

service-policy inside-policy interface inside

188
Views
0
Helpful
2
Replies
CreatePlease to create content