09-14-2008 08:02 PM - edited 03-09-2019 09:28 PM
Hi,
I'm using the CSC-SSM module on our ASA 5510. All the functions on the module are working, except the file blocking function, for example executable files over HTTP are not being blocked even if we set it to.
Any suggestions or help is appreciated.
FYI, the software version of CSC module is 6.1.1519 upgraded with the batch file b-6.1-b1519-1 and it has the Plus license.
Thanks,
09-15-2008 05:31 AM
Please post your ASA config. You will need to re-direct traffic to the CSC with a policy map that has "CSC" commands in the http class.
-Joe
09-15-2008 05:47 AM
in this case u need to use ASA policies that nspect http and port misuse
Test for HTTP port cloaking:
Firewall(config-http-map)# port-misuse {default | im | p2p | tunnelling}
action {allow | drop | reset} [log]
HTTP port cloaking is used to transport traffic from a nonâHTTP application over the standard HTTP
port. These applications appear to use regular HTTP, as if they were webâbased applications. The
firewall can detect some misuses of the HTTP port by examining the entire contents of each HTTP
packet.
You can use one of the following keywords to detect a specific tunneling application:
⢠im- Instant messaging applications. In PIX 7.0, only Yahoo Messenger is detected.
⢠p2p- Peerâtoâpeer applications. In PIX 7.0, Kazaa and Gnutella can be detected.
⢠tunnelling- Data from arbitrary applications is tunneled inside HTTP request messages to
bypass normal firewalls. In PIX 7.0, the following tunneling applications can be detected:
o HTTPort/HTTHost- http://www.htthost.com
o GNU Httptunnel- http://www.nocrew.org/software/httptunnel.html
o GotoMyPC- http://www.gotomypc.com
o Firethru Fire Extinguisher- http://www.firethru.com
o Httpâtunnel.com Client- http://www.httpâtunnel.com
If the application is detected, the corresponding action is taken: allow the packet to pass, drop the
packet, or reset the HTTP connection.
You can also use the default keyword to define an action to be taken for any HTTP port misuse
application that is not one of the keywords listed.
You can repeat this command to define multiple applications to detect.
For example, the following commands reset connections if a peerâtoâpeer application, a tunneling
application, or any other unrecognized portâcloaking application is detected. Only instant messaging
applications are allowed to pass through.
Firewall(config)# http-map Filter_http
Firewall(config-http-map)# port-misuse im action allow
Firewall(config-http-map)# port-misuse default action reset log
Firewall(config-http-map)# exit
aslo have a look at the following link regarding http misuse:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml
good luck
if helpful Rate
09-15-2008 07:05 AM
I would recommend upgrading to 6.2.1599.4. You can do this upgrade without any outage (only the CSC module will reload--not the ASA) and you will benefit from a countless number of bug fixes.
You will first need to upgrade to 6.2.1599.0, and then apply the 6.2.1599.4 patch.
-Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: