ASA 5520 : IP address for CSC SSM

Hi All,
I have an ASA 5520 with CSC SSM. I have base and plus license and want to activate it. T he IP address and gateway have to be configured on the CSC SSM. I have configured IP addresses for the INSIDE,OUTSIDE,DMZ and MGMT. The outside is a public IP address. Now for the CSC SSM what range should i give?
There is an ISA server on the DMZ where all user IP's get PATed and on ASA this gets NATed on the ASA. Direct access to the internet exists for the servers (bypassing proxy).
My basic doubt is about the IP address and gateway that the CSC SSM should have and is it related ot the management interface ip address?
Thanks and Regards.
Sonu

Hi
put your CSC ip address as outside interface subnet.because CSC needs automatic updates from internet.and you can able to manage CSC from remote itself.
for EX
your outside ip is 10.0.0.1/24,make CSC IP As 10.0.0.2/24,Gateway 10.0.0.1
Hopes this helps
regs
S.Mohana sundaram

Similar Messages

  • Which part number for CSC-SSM with Plus license?

    Dear All,
    Which part number for CSC-SSM with Plus License? i saw the part number for standard license.
    could you let me know?
    Best regards,

    Hi,
    The part number is the following:
    ASA-CSCX-YP-ZY
    where X is your CSC model, Y is the number of seats of the license and Z is the number of years.
    For instance, if you need a 2 year plus license for a CSC10 with 250 seats, the part number would be ASA-CSC10-250P-2Y
    Regards,
    Nicolas

  • Password recovery for CSC-SSM

    i have CSC ssm module in my lab. i forgot its username/password and also the ip address of csc module. when i tried to do reimgine the csc module, setup asks for ip address of csc module. is there is any way to recover password without knowing the ip address of CSC module.

    This document describes how to recover a password on a Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC-SSM) or the Advanced Inspection and Prevention Security Services Module (AIP-SSM) without having to re-image the device.
    http://cisco.com/en/US/partner/products/ps6120/products_password_recovery09186a00807f5a59.shtml

  • Trend Micro updates for CSC SSM

    Any word on if or when patch would be available for 6.3.1172 ? My ASA has only 256kb memory, and I believe it would require a memory upgrade for any further software upgrades.

    The mail and TMCM agent service is always stopped. Access to CSC-SSM via web browser is not possible, nothing happens, and ASDM is not communicating with CSC. I restarted management access port, without success. Restore to Factory settings is not possible. I get this error message:
    Restoring default settings: /opt/trend/isvw/bin/setup.bin: line 2861: /opt/trend/isvw/lib/mail/rules/UserApprovedList.txt: Read-only file system
    /opt/trend/isvw/bin/setup.bin: line 2862: /opt/trend/isvw/lib/mail/rules/UserBlockedList.txt: Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/web/intscan.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    I try to reimage with 6.2 version, maybe this helps.
    If you have a clue tell me!
    Thank you

  • License violation has been detected on the InterScan for CSC SSM

    We are receiving this everyday at 1 AM, but there is no traffic on the network at this time. What can I do on the ASA or CSC to find out where and what this traffic is?
    There are currently 559 active nodes while you only have 500 seats of license. 59 more seats of license is required.

    This issue has confused us for a while too… Here’s the deal:
    Even after the license violation the traffic for all the users will be scanned by the module. Despite the error message that you are seeing, the CSC will not drop connections due strictly to license violations.  It is only a warning at this point. 
    With a high number of nodes, it is likely that you will overwhelm the CSC processing capacity.  If the users are overly aggressive in their connections, they can easily max out the capacity.
    Here's a high level link:
    http://www.cisco.com/en/US/customer/products/ps6120/products_white_paper0900aecd805c3cd6.shtml
    Can you increase the license?  It only goes up to 1,000.
    How can you tell what the count is?  Use the following command from the ASA CLI:
    show csc node-count yesterday
    Here's the link:
    http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s2_72.html#wp1186101
    Hope this helps!

  • InterScan for CSC SSM Notification

    I have received this message from my ASA5500 with SSM module:Compact Flash storage is nearly out of space
    After that I have received other one with the message: Scan services have recovered from a previous failure. The SSM system is now back to normal.
    I think the SSM module hasa Flash with a 1GB, someone knows it is normal or something is wrong??

    We opened a TAC case for this. And we received the following response...The error your getting is a known cosmetic error. It will not affect anything. There is currently no work around at the moment. This is normal, there is a built in mechanism that automatically cleans up the flash."

  • Filtering sub-categories on Interscan for CSC SSM

    Does anyone no how to identify what URL's are classified as a part of each sub-category? Is there a published list somewhere that I can tell which sites are part of certain categories?
    Thanks,
    Larry

    Try this link:
    http://www.cisco.com/univercd/cc/td/doc/product/multisec/modules/cscssm/cscssm61/csc61adm/

  • Step to prep CSC SSM on ASA Active/Standby mode

    Hi all, 
    I am trying to setup Active/Standby HA mode for my site.
    Currently the site was installed with one unit ASA firewall with CSC-SSM module, the second unit is the new unit ready to be setup.
    My question:
    01. My concern is second unit CSC-SSM, what is the proper procedure or step need to prep it?
    Is it need to prep the CSC-SSM before the ASA in HA mode Or it will auto propagate the configuration when both unit in HA mode?
    What else need to concern? am i need to setup different IP for the CSC-SSM management interface?
    Thanks
    Noel

    Hello Yong,
    Configuration related to the CSC or SSM modules will never get propagated so you will basically need to configure it manually.
    Also it's not like if the Config on both modules is different failover will fail but ofcourse you wanna have the same one
    IP addresses for each of the modules will be dedicated ones. Remember that failover will fail if one box has the CSC and the other not.
    Looking for some Networking Assistance? 
    Contact me directly at [email protected]
    I will fix your problem ASAP.
    Cheers,
    Julio Carvajal Segura
    http://laguiadelnetworking.com

  • Can't Send or Receive Email from Exchange behind ASA 5510 with CSC SSM

    We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM.  We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. Here is a copy of my config:  Any Help would be appreciated.
    show config
    : Saved
    : Written by enable_15 at 07:17:44.760 CST Wed Jan 18 2012
    ASA Version 8.4(3)
    names
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 216.XXX.XXX.XXX 255.XXX.XXX.XXX
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.5 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    <--- More --->
      no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    shutdown
    nameif management
    security-level 100
    no ip address
    management-only
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    object network obj-192.168.5.0
    subnet 192.168.5.0 255.255.255.0
    object network obj-192.168.0.0
    subnet 192.168.0.0 255.255.255.0
    <--- More --->
    object network obj-192.168.9.2
    host 192.168.9.2
    object network obj-192.168.1.65
    host 192.168.1.65
    object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0
    object network obj-192.168.2.0
    subnet 192.168.2.0 255.255.255.0
    object network obj-192.168.3.0
    subnet 192.168.3.0 255.255.255.0
    object network obj-192.168.6.0
    subnet 192.168.6.0 255.255.255.0
    object network obj-192.168.8.0
    subnet 192.168.8.0 255.255.255.0
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq ftp
    port-object eq www
    port-object eq pop3
    port-object eq smtp
    object-group network Red-Condor
    description Email Filtering
    network-object host 66.234.112.69
    network-object host 66.234.112.89
    object-group service NetLink tcp
    <--- More --->
      port-object eq 36001
    object-group network AECSouth
    network-object 192.168.11.0 255.255.255.0
    object-group service Email_Filter tcp-udp
    port-object eq 389
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_TCP_0 tcp
    group-object Email_Filter
    port-object eq pop3
    port-object eq smtp
    object-group network Exchange-Server
    description Exchange Server
    network-object host 192.168.1.65
    access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
    access-list outside_access extended permit tcp any object obj-192.168.9.2
    access-list outside_access extended permit icmp any any
    access-list outside_access extended permit tcp any object-group Exchange-Server eq https
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
    access-list outside_access extended permit object-group TCPUDP object-group Red-Condor object-group Exchange-Server object-group Email_Filter
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit icmp any any
    <--- More --->
    pager lines 24
    logging enable
    logging console debugging
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool vpnpool 192.168.5.1-192.168.5.254 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    asdm image disk0:/asdm-647.bin
    no asdm history enable
    arp timeout 14400
    object network obj-192.168.9.2
    nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
    object network obj-192.168.1.65
    nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
    object network obj-192.168.1.0
    nat (inside,outside) dynamic interface
    object network obj-192.168.2.0
    nat (inside,outside) dynamic interface
    object network obj-192.168.3.0
    <--- More --->
      nat (inside,outside) dynamic interface
    object network obj-192.168.6.0
    nat (inside,outside) dynamic interface
    object network obj-192.168.8.0
    nat (inside,outside) dynamic interface
    access-group outside_access in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.XXX 1
    route inside 192.168.0.0 255.255.0.0 192.168.0.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server isaconn protocol radius
    aaa-server isaconn (inside) host 192.168.1.9
    timeout 5
    key XXXXXXX
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    <--- More --->
    http server enable
    http 192.168.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set AEC esp-des esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca server
    shutdown
    <--- More --->
      smtp from-address [email protected]
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate
      quit
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.0.0 255.255.0.0 inside
    telnet timeout 5
    ssh 192.168.0.0 255.255.0.0 inside
    ssh timeout 5
    console timeout 0
    management-access inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 208.66.175.36 source outside prefer
    webvpn
    username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
    <--- More --->
    class-map global-class
    match access-list global_mpc
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
    <--- More --->
       inspect netbios
      inspect tftp
      inspect ip-options
    class global-class
      csc fail-close
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous

    Hello Scott,
    So Exchange server ip is obj-192.168.1.65 natted to 216.x.x.x
    object network obj-192.168.1.65
    "nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp"
    The ACL says
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
    From witch ip addresses are you trying to send traffic to the exchange server?
    Please do a packet-tracer and give us the output
    packet-tracer input outside tcp x.x.x.x( Outside host ip) 1025 216.x.x.x.x 25
    Regards,
    Julio
    Rate helpful posts!!!

  • ASA 5520: Create Network Object for range of hosts?

    Hi,
    I'm new to Cisco Firewalling. I'm migrating our network objects from our current firewall to a new ASA 5520 configuration. I'm using ASDM 6.4 for configuration.
    We have a range of IP addresses for hosts that we need to add to a firewall rule/ACL. In the previous FW software I could create an object that was a range of IP address. For example there is an object called emailservers that is defined as 192.168.2.25-192.168.2.50.
    Is there a way to do a similar thing on the ASA 5520?
    I can see how to create subnets, but in this case I only have a range of IP addresses, no subnet mask.
    Any help greatly appreciated.

    Sure there is,
    hostname(config)# object network TEST2
    hostname(config-network-object)# range  10.1.2.1 10.1.2.70
    No need for subnet masks, this will be a Object network, not an Object-group of type network. Now in 8.3 they are a lot different.
    http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html
    Check this doc for reference.
    Cheers,
    Mike

  • How to change VPN peer address on ASA 5520

    Environment:
    ASA 5520 running 7.2(1)
    IPSEC L2L VPN established using Wizard.
    The IP address of the remote peer needs to change. Using ASDM, I cannot change the Tunnel Group name (which is currently the peer address). I can change the peer address in the IPSec rule, but is this all that is needed?
    Do I have to add a new tunnel group using the new peer address for the name? If so how does this relate to the other objects that are required for a VPN?
    When you create a VPN using the Wizard, it creates multiple objects that are hard to track when changes are required. Is it best to delete all of the current VPN objects and create a new config using the wizard again?
    Is it better to make the changes using the CLI? What lines need to be changed for the peer address when using commands?
    Thanks in advance for any help!

    I can change the peer address in the IPSec rule, but is this all that is needed?
    - No, tunnel group name must match peer address.
    Do I have to add a new tunnel group using the new peer address for the name?
    - Yes.
    Is it better to make the changes using the CLI?
    - I would always recommend it, but if you don't know it you have no option.
    Add new tunnel-group with group name as new peer address, same key etc. Add new peer address to peer settings under edit ipsec rule. Then you should be able to remove the old tunnel group. Hope this helps you, been a while since I did it this way.

  • How can I change the email address for my photosmart 5520 ?

    Hi , I have a photosmart 5520 and tried to set up an email address for my printer when I installed the printer.  At the time. the HP site was down for maintanence and I have a very long an complicated email address now that I will never ever remember.  How can I change this email address?
    Thanks in advance. 
    Amy

    Hi Amy,
    Follow the steps listed below to customize the ePrint email address:
    http://h10025.www1.hp.com/ewfrf/wc/document?docname=c02940150&cc=us&dlc=en&lc=en&product=5157536&tmp...
    Shlomi
    Say thanks by clicking the Kudos thumb up in the post.
    If my post resolve your problem please mark it as an Accepted Solution

  • Active/Standby ASA 5520 + SSM-10=Failures

    Greetings,
    We have two ASA5520s, both at 7.2(2) running in active/standby failover. Each of the ASA's have an AIP-SSM-10 in them running 6.0(3)E1. The configuration is in promiscuous mode assign to global policy, all traffic.
    The primary will be running fine until it transitions to the secondary with a message: Module in slot slot experienced a data channel communication failure, data channel is DOWN. When I go to the SSM it will not let us in by ASDM, I can telnet and it will allow us to log in, shows the disclaimer info but never gives a cli prompt. The secondary will be running for a while, then it exhibits the same behavior and its SSM become unresponsive. The ASA transition again regardless if the SSM is back online or not. If it is it operates normally.
    If it were 1 SSM I'd say it was the problem but both of them are doing it which leads me to consider configuration or is there something else I am missing somewhere.
    We want to put these SSM-10's inline but not with there current instability.
    Any suggestion at this point would be most helpfull.
    Jim Collin
    Maui Land and Pineapple Company Inc.
    [email protected]

    I've got the exact same problem. I opened a TAC case and was told too much traffic was being redirected to the AIP module, overflowing a queue, causing the failure. We were using the modules for a couple of months before we began experiencing this issue. It got so bad I had to completely disable redirection to the module. We're not inspecting ESMTP traffic, but I'm going to try disabling protocol inspection entirely and apply the service-policy to see if it could be one of the other defaults that is the culprit. That makes more sense to me than volume because our traffic volume didn't changed considerably. Need approval so it may be awhile.

  • Asa 5520 | CPU Spikes above 90% for 5 Seconds then it went down to 35 - 40%

    Hi Experts
    i have ASA 5520 , some times the CPU Spikes above 90% for 5 Seconds then it went down to 35 - 40% ,but what happened when it shoots to 90% all connection go through this ASA gets drops then i receive complain since application traffic traverse this FW ,so how can i see the CPU History for last 1 week , i need to see the times and the date WHEN THE CPU went above 90% for 4 seconds
    thanks
    jamil

    Hi Ibrahim,
    from he ASA you would not be able to pull data for last one week, you would need an SNMP server or anyother monitoring server for pulling reports.
    For high CPU issues, I would suggest opening a TAC case for it, since it requires detailed investigation and access to your box. Just as in initial pointer, these outputs might help you identifying the cause:
    show proc cpu-usage
    show traffic
    show conn count
    show interface
    Remember these outputs are useful only if they are from the time of the issue, check what traffic is hogging the CPU and if the ASA is being overwhelmed or not.
    Thanks,
    Varun Rao
    Security Team,
    Cisco TAC

  • What is causing ASA 5520 v8.4 error 305006 for DNS traffic?

    I implemented transparent mode NAT in single context mode on an ASA 5520 v8.4.  Some connections are working well, but I am seeing others unable to resolve DNS.  I am seeing lot of the following error messages:
    Syslog ID 305006 regular translation creation failed for udp src inside: 10.x.x.x/x des outside:192.168.1.3/53
    Any ideas on what I might look for as possible errors in my configuration?

    I implemented transparent mode NAT in single context mode on an ASA 5520 v8.4.  Some connections are working well, but I am seeing others unable to resolve DNS.  I am seeing lot of the following error messages:
    Syslog ID 305006 regular translation creation failed for udp src inside: 10.x.x.x/x des outside:192.168.1.3/53
    Any ideas on what I might look for as possible errors in my configuration?

Maybe you are looking for

  • Officejet 4630: Error code 0XB00A7A4E and it's all it does.

    Hello, my Officejet 4630  had some problems, yesterday it asked me if I wish to install ne w firmware and I thought this would solve the problems, so I clicked ok.Now it does not do anything anymore.It displays error code  0XB00A7A4E, and beeps all t

  • Time Machine - Disc name change

    I began using Time Machine in 2009 on a 500 gig drive. Two weeks ago I began having some slowdown issues on the machine (unrelated to Time Machine). I cloned the drive to an external firewire, erased the internal drive, renamed it (I never did like t

  • Doubt in Conditions of Query Designer

    Hai, I have a requirement. I have three characteristics CLUSTER, TOWN,SALES OFFICE. I want to display the Top N customers based on Value sale in each of the characteristic specified above. Now, in condition, i chose ALL CHARACTERISTICS IN DRILLDOWN I

  • NOLOGGING for LOBs

    Oracle 11gR2 rhel5 64bit Hi all, We are trying to figure out a way to reduce the amount of redo that is being generated when we insert data (LOBs) into a table. Our database is in ARCHIVELOG mode and we set the table to NOLOGGING mode also. However,

  • Invalid HTTP session

    In my web application, I use session object to carry variables cross pages. After the data is no longer need, I call           session.invalidate();           session = request.getSession(true);           to invalid the old session and open a new one