55-4
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 55 Configuring the Content Security and Control Application on the CSC SSM
Information About the CSC SSM
Based on the configuration shown in Figure 55-3, configure the adaptive security appliance to divert to
the CSC SSM only requests from clients on the inside network for HTTP, FTP, and POP3 connections
to the outside network, and incoming SMTP connections from outside hosts to the mail server on the
DMZ network. Exclude from scanning HTTP requests from the inside network to the web server on the
DMZ network.
Figure 55-3 Common Network Configuration for CSC SSM Scanning
There are many ways you could configure the adaptive security appliance to identify the traffic that you
want to scan. One approach is to define two service policies: one on the inside interface and the other on
the outside interface, each with access lists that match traffic to be scanned.
Figure 55-4 shows service policy rules that select only the traffic that the adaptive security appliance
should scan.
Figure 55-4 Optimized Traffic Selection for CSC Scans
In the inside-policy, the first class, inside-class1, ensures that the adaptive security appliance does not
scan HTTP traffic between the inside network and the DMZ network. The Match column indicates this
setting by displaying the “Do not match” icon. This setting does not mean the adaptive security appliance
blocks traffic sent from the 192.168.10.0 network to TCP port 80 on the 192.168.20.0 network. Instead,
this setting exempts the traffic from being matched by the service policy applied to the inside interface,
which prevents the adaptive security appliance from sending the traffic to the CSC SSM.
192.168.30.0
192.168.20.0
(dmz)
Web server Mail server
192.168.10.0
Internet
outside inside
Adaptive Security
Appliance
143800
To Next Page
Loading...
Need help?
General
