Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

How to configure ASA in order to send traffic to the CSC SSM for Content Scanning

Core issue

The adaptive security appliance (ASA) diverts packets to the Content Security and Control Security Services Module (CSC SSM) after firewall policies are applied but before the packets exit the egress interface. For example, packets that are blocked by an access list are not forwarded to the CSC SSM.

Configure service policies in order to specify which traffic the adaptive security appliance should divert to the CSC SSM. The CSC SSM can scan HTTP, POP3, FTP, and SMTP traffic sent to the well-known ports for those protocols.

In order to simplify the initial configuration process, this procedure creates a global service policy that diverts all traffic for the supported protocols to the CSC SSM, both inbound and outbound. Because if you scan all traffic that comes through the adaptive security appliance, this can reduce the performance of the adaptive security appliance and the CSC SSM, you want to revise this security policy later. For example, it is not usually necessary to scan all traffic that comes from your inside network because it comes from a trusted source. If you refine the service policies so that the CSC SSM scans only traffic from untrusted sources, you can achieve your security goals and maximize performance of the adaptive security appliance and the CSC SSM.

Resolution

In order to create a global service policy that identifies traffic to be scanned, complete these steps:

  1. In the main ASDM window, choose the Configuration tab.
       
  2. Choose Security Policies, and then click the Service Policy Rules radio button.
       
  3. Click Add.

    The Add Service Policy Rule appears.
       
  4. In the Service Policy page, click the Global - applies to all interfaces radio button.
       
  5. Choose Next. The Traffic Classification Criteria page appears.
       
  6. In the Traffic Classification Criteria page, click the User class-default as the traffic class radio button.
       
  7. Choose Next. The Add Service Policy Rule Wizard - Rule Actions page appears.
       
  8. In the Service Policy Rule Wizard, choose the CSC Scan tab.
       
  9. On the CSC Scan tab page, check the Enable CSC scan for this traffic flow check box.

    In the If CSC card fails, then area, choose whether the adaptive security appliance should permit or deny selected traffic if the CSC SSM is unavailable.
       
  10. Choose Finish.

    The new service policy appears in the Service Policy Rules pane.
       
  11. Choose Apply.
       

In order to configure additional CSC SSM features in ASDM, which includes content filtering, click the Configuration or Monitoring tab, then choose the Trend Micro Content Security tab.

Refer to the Diverting Traffic to CSC SSM section of Managing AIP SSM and CSC SSM for more information on how to configure ASA to send traffic to CSC SSM with the use of the command line.

1184
Views
0
Helpful
0
Comments