ASA5510-SEC with CSC-SSM and Plus lic

I have setup the ASA5510-SEC with the CSC-SSM and it is working great.  What I need is to be able to provide, for the client, reports of how much time particular users spend on the Internet, where they go on the Internet etc.  Do I need more product to do this reporting?  Would also like to have email reports
Thanks,

I would recommend posting in netpro for this.  This community doesn't work with the ASA series.
www.cisco.com/go/netpro

Similar Messages

  • Can't Send or Receive Email from Exchange behind ASA 5510 with CSC SSM

    We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM.  We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. Here is a copy of my config:  Any Help would be appreciated.
    show config
    : Saved
    : Written by enable_15 at 07:17:44.760 CST Wed Jan 18 2012
    ASA Version 8.4(3)
    names
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 216.XXX.XXX.XXX 255.XXX.XXX.XXX
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.5 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    <--- More --->
      no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    shutdown
    nameif management
    security-level 100
    no ip address
    management-only
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    object network obj-192.168.5.0
    subnet 192.168.5.0 255.255.255.0
    object network obj-192.168.0.0
    subnet 192.168.0.0 255.255.255.0
    <--- More --->
    object network obj-192.168.9.2
    host 192.168.9.2
    object network obj-192.168.1.65
    host 192.168.1.65
    object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0
    object network obj-192.168.2.0
    subnet 192.168.2.0 255.255.255.0
    object network obj-192.168.3.0
    subnet 192.168.3.0 255.255.255.0
    object network obj-192.168.6.0
    subnet 192.168.6.0 255.255.255.0
    object network obj-192.168.8.0
    subnet 192.168.8.0 255.255.255.0
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq ftp
    port-object eq www
    port-object eq pop3
    port-object eq smtp
    object-group network Red-Condor
    description Email Filtering
    network-object host 66.234.112.69
    network-object host 66.234.112.89
    object-group service NetLink tcp
    <--- More --->
      port-object eq 36001
    object-group network AECSouth
    network-object 192.168.11.0 255.255.255.0
    object-group service Email_Filter tcp-udp
    port-object eq 389
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_TCP_0 tcp
    group-object Email_Filter
    port-object eq pop3
    port-object eq smtp
    object-group network Exchange-Server
    description Exchange Server
    network-object host 192.168.1.65
    access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
    access-list outside_access extended permit tcp any object obj-192.168.9.2
    access-list outside_access extended permit icmp any any
    access-list outside_access extended permit tcp any object-group Exchange-Server eq https
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
    access-list outside_access extended permit object-group TCPUDP object-group Red-Condor object-group Exchange-Server object-group Email_Filter
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit icmp any any
    <--- More --->
    pager lines 24
    logging enable
    logging console debugging
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool vpnpool 192.168.5.1-192.168.5.254 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    asdm image disk0:/asdm-647.bin
    no asdm history enable
    arp timeout 14400
    object network obj-192.168.9.2
    nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
    object network obj-192.168.1.65
    nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
    object network obj-192.168.1.0
    nat (inside,outside) dynamic interface
    object network obj-192.168.2.0
    nat (inside,outside) dynamic interface
    object network obj-192.168.3.0
    <--- More --->
      nat (inside,outside) dynamic interface
    object network obj-192.168.6.0
    nat (inside,outside) dynamic interface
    object network obj-192.168.8.0
    nat (inside,outside) dynamic interface
    access-group outside_access in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.XXX 1
    route inside 192.168.0.0 255.255.0.0 192.168.0.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server isaconn protocol radius
    aaa-server isaconn (inside) host 192.168.1.9
    timeout 5
    key XXXXXXX
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    <--- More --->
    http server enable
    http 192.168.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set AEC esp-des esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca server
    shutdown
    <--- More --->
      smtp from-address [email protected]
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate
      quit
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.0.0 255.255.0.0 inside
    telnet timeout 5
    ssh 192.168.0.0 255.255.0.0 inside
    ssh timeout 5
    console timeout 0
    management-access inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 208.66.175.36 source outside prefer
    webvpn
    username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
    <--- More --->
    class-map global-class
    match access-list global_mpc
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
    <--- More --->
       inspect netbios
      inspect tftp
      inspect ip-options
    class global-class
      csc fail-close
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous

    Hello Scott,
    So Exchange server ip is obj-192.168.1.65 natted to 216.x.x.x
    object network obj-192.168.1.65
    "nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp"
    The ACL says
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
    From witch ip addresses are you trying to send traffic to the exchange server?
    Please do a packet-tracer and give us the output
    packet-tracer input outside tcp x.x.x.x( Outside host ip) 1025 216.x.x.x.x 25
    Regards,
    Julio
    Rate helpful posts!!!

  • Is there any architectural difference between CSC-SSM and AIP-SSM modules

    Hello security gurus!
    I'm wondering if there's any chance to make Content security module (CSC-SSM) work as IPS (AIP-SSM). It seems to me they are absolutely identical in terms of hardware. Is there any chance to make CSC-SSM boot with the flash from AIP-SSM and have the ASA recognize it as an IPS module ?
    Eugene

    Zheka,
    This is not recommended and you will loose support, these are different devices designed for different purposes, you will also have issues with the license, I have seen it one once, and the customer did it by mistake, the module eventually crashed and we had to add the proper image.
    Regards,
    Felipe.

  • HTTPS Filtering on CSC SSM-10

    Hello,
    One of our customers has an ASA5510 with CSC SSM-10 security module. The software version of the module is 6.6.1125.0.
    Is it possible to do https filtering with this module ? The cutomer is complaining that this is not possible..., They cannot do this.
    Please any help or suggestion how to assist them ?
    p.s. from Cisco I've read the following:
    • HTTPS Filtering
         – Able to allow or block HTTPS traffic.
         – Supports group-based and user-based HTTPS policies.
         – Includes URL blocking/URL exception list support for HTTPS domains.
    Thank you and best regards,
    Ilir

    This should help:
    http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc1.html

  • ASA 5520 : IP address for CSC SSM

    Hi All,
    I have an ASA 5520 with CSC SSM. I have base and plus license and want to activate it. T he IP address and gateway have to be configured on the CSC SSM. I have configured IP addresses for the INSIDE,OUTSIDE,DMZ and MGMT. The outside is a public IP address. Now for the CSC SSM what range should i give?
    There is an ISA server on the DMZ where all user IP's get PATed and on ASA this gets NATed on the ASA. Direct access to the internet exists for the servers (bypassing proxy).
    My basic doubt is about the IP address and gateway that the CSC SSM should have and is it related ot the management interface ip address?
    Thanks and Regards.
    Sonu

    Hi
    put your CSC ip address as outside interface subnet.because CSC needs automatic updates from internet.and you can able to manage CSC from remote itself.
    for EX
    your outside ip is 10.0.0.1/24,make CSC IP As 10.0.0.2/24,Gateway 10.0.0.1
    Hopes this helps
    regs
    S.Mohana sundaram

  • Step to prep CSC SSM on ASA Active/Standby mode

    Hi all, 
    I am trying to setup Active/Standby HA mode for my site.
    Currently the site was installed with one unit ASA firewall with CSC-SSM module, the second unit is the new unit ready to be setup.
    My question:
    01. My concern is second unit CSC-SSM, what is the proper procedure or step need to prep it?
    Is it need to prep the CSC-SSM before the ASA in HA mode Or it will auto propagate the configuration when both unit in HA mode?
    What else need to concern? am i need to setup different IP for the CSC-SSM management interface?
    Thanks
    Noel

    Hello Yong,
    Configuration related to the CSC or SSM modules will never get propagated so you will basically need to configure it manually.
    Also it's not like if the Config on both modules is different failover will fail but ofcourse you wanna have the same one
    IP addresses for each of the modules will be dedicated ones. Remember that failover will fail if one box has the CSC and the other not.
    Looking for some Networking Assistance? 
    Contact me directly at [email protected]
    I will fix your problem ASAP.
    Cheers,
    Julio Carvajal Segura
    http://laguiadelnetworking.com

  • Which part number for CSC-SSM with Plus license?

    Dear All,
    Which part number for CSC-SSM with Plus License? i saw the part number for standard license.
    could you let me know?
    Best regards,

    Hi,
    The part number is the following:
    ASA-CSCX-YP-ZY
    where X is your CSC model, Y is the number of seats of the license and Z is the number of years.
    For instance, if you need a 2 year plus license for a CSC10 with 250 seats, the part number would be ASA-CSC10-250P-2Y
    Regards,
    Nicolas

  • Two phones ordered, only one shipped. The iPhone 6 has shipped with tracking number and charge to my card. iPhone 6 Plus has no information available, no one at CS can tell me if this is normal, if it is delayed, any info appreciated.

    I placed an upgrade order for two phones, an iPhone 6 and 6plus.
    I was in the Verizon shopping cart at 11:55 and checked out by 12:01 AM pacific time.
    I do have my email confirmation for both phones with ship date 9/19
    The iPhone 6 has shipped with tracking number and the charge to my card came through for the price of this phone.
    There is no other information available - nothing on the status of the 6 Plus. Customer service doesn't know if this is normal or if my order went through, its really bad.
    Any further information would be much appreciated.

    I was just told by a Verizon sales rep that, when her team got in, when she checked the system at 3:03 (midnight+ 3 minutes)  all 6Plus had a back order date of October, and now its going into November even though the pre-order system was showing 9/19 - that all verizon iphone 6 plus had an instant sell out.
    She had no additional information on my iPhone 6 plus, not even if there was a chance for it to ship out, when the back order date would be - no further information.
    (A different rep I talked to said all iphone 6 plus pre orders had a ship date of October, all of them - I asked what Verizon is going to do when they advertised iphone 6 plus for 9/19 delivery and your telling me they never had any available - at this point he transferred me... *****)

  • My iPod touch 4th gen. Won't charge with a enercell charger that I've used since December. It will only charge with the apple USB cord that came with it. And even the takes it about 6 sec. To realize its charging. Help me fix this?

    My iPod touch 4th gen. Won't charge with a enercell charger that I've used since December. It will only charge with the apple USB cord that came with it. And even the takes it about 6 sec. To realize its charging. Help me fix this?

    Yes, I've been using it for months. And I can charge other devices with it. (my iPhone) but something weird just happened..... I kept on pluging it in the iPod and sometimes it would start to chàrge then sometimes it won't charge. Charges every time with the iPhone though.

  • HT1222 I started the lastest iPhone 5s software update then my phone just shut down and will not turn back on. I've tried the home button, the button plus the top right button together for 20 sec, plug it in and nothing

    I started the lastest iPhone 5s software update then my phone just shut down and will not turn back on. I've tried the home button, the button plus the top right button together for 20 sec, plug it in and nothing

    Plug your device into the original charger & block in a wall outlet and leave it alone for a couple of hours. Then, while it is still plugged in, restart it by holding down the home button and the power button for 10-15 seconds until you see the Apple, then let go.

  • Ever since installing on my 64bit Windows 7 install, Firefox has continually gotten more sluggish as time moves on, hangs for 10-15 secs at a time and just gets worse over time with the updates and everything.

    Ever since installing on my 64bit Windows 7 install, Firefox has continually gotten more sluggish as time moves on, hangs for 10-15 secs at a time and just gets worse over time with the updates and everything. It was fast when I first installed, but over the last six mos has slown to a crawl.

    upgrade your browser to Firefox 8 and try
    * getfirefox.com

  • I just bought and backed up my computer and time machine with a "Seagate BackUp Plus for Mac". Now my time machine is empty. Panicked. can anyone help?

    I just bought and backed up my computer and time machine with a "Seagate BackUp Plus for Mac". Now my time machine is empty. Panicked. can anyone help?

    Lets start over...
    Please restart the network.. shut down everything..
    Restart in order.. modem.. router.. if different to TC.. or TC.. client devices.. wait 2min between each startup.
    If the TC does not show up on the computer, in finder.. then we need more info.. what OS are you running?
    Does the TC show up in Airport utility? Are you running wireless or ethernet?
    If you still have issues.. plug the TC directly into the computer by ethernet.
    Do a full factory reset of the TC.. and see if it now shows up.
    Please tell us exactly what model TC it is and how old.. the A1xxx model number from the base will help if you don't know.
    You take a screen shot of the TC opened in finder.
    eg..
    My TC is named Tardis4.. click on it.. and then open the data folder.. on this one called Tardisdata.
    Then take a screen shot of it so we can see what the problem is.. screenshot.. with area selection.. control + shift + 4 .. the picture goes into the desktop.. and then you click the picture icon in the posting web page controls and select the picture.

  • Direct Digital Filing with HP OfficejetPro 8600 Plus and Windows 7

    Set up Scan to Network Folder using Direct Digital Filing with HP OfficejetPro 8600 Plus and Windows 7
    Can't figure out where the network file folder should be.

    went to hp/support, was  sent to a sign im page, entered cm750 product number; the site searched my installation to detect the 8600, here are the results:
    We were unable to verify your product
    Drivers & Updates
    Warranty Status
    Additional Support
            This tool recommends the latest print driver software to keep your HP product up-to-date.   
    No Action Needed:HP recommended software installed and up-to-date.
    If your product is not printing or scanning correctly, you may want to try the HP Printer Install Wizard to identify software issues. Click the link below to begin:
                       HP Printer Install Wizard for Windows »              No Action Needed:Windows in-Operating System (in-OS) print driver is installed and is currently the only driver available for this product.
    For more information on getting the best functionlity from your product with this print driver, click the link below:
                     In-OS Print Driver »               
    Action Needed:                    Your print driver software is missing or a better version is available. HP recommends installing the following software. Click the link below to begin:               
    Product Not Supported: This product is not currently supported by this tool. Error: This tool experienced an error while trying to identify the print driver software for your product.
    To view additional software for this product, click the link below:
    To view all of the software available for this HP product or the HP Printer Install Wizard for Windows, click below:
                Software & Driver Downloads »       
    HP Printer Install Wizard for Windows »       
    Please wait while we scan your product for solutions and updates.Your Product:
    0%
    This should take 1-2 minutes, depending on your computer and connection speed.
    HP was unable to verify that you have this product, but did find other products.
                            HP Officejet Pro K8600 Printer »                        Software & driver downloads »                        Support & troubleshooting » Learn how to help HP find your product
                             1 HP products were discovered
    Select an option for a product below. Some products may be scanned to identify recommended drivers, updates, and solutions.
    »HP Pavilion a6120n Desktop PC                 Serial Number:                                 MXF73106L0                                                Product Number:                                 GC670AA                               
    » Software & Driver Downloads »
    Support & Troubleshooting   Well, it did find my desktop. I hve re-installed the 8600 from scratch, downloaded drivers and patches etc. can anyone suggest how to get scanning to work?

  • Failover setup between ASA5510-AIP10SP-K9 and ASA5510-SEC-BUN-K9

    Not sure if we can setup Active/standby failover between ASA5510-AIP10SP-K9 and ASA5510-SEC-BUN-K9 at all?
    If anyone could advice please, that would be grateful. Thanks a lot

    You would need the module on both appliances to setup failover.
    Regards
    Farrukh

  • I have ipod nano with 7 generation and I would buy a Polar Wearlink   Transmitter Nike  Plus to view heart beats . Is this product compatible with nano?

    I have ipod nano with 7 generation and I would buy a Polar Wearlink + Transmitter Nike+ Plus to view heart beats . Is this product compatible with nano?

    I have the same issue! I purchased a nano 6th, polar hrm so I could run and receive spoken feedback when my heart rate was outside my preset zone.  My suunto t3 used to beep when outside the preset zones.  Automatic, periodic beeps or spoken feedback is the most important information to receive during exercise. I hope apple can update the software to add this simple yet critical feature.

Maybe you are looking for

  • Editable ALV & Foreign Key Check

    I am working on an Editable ALV. Here if I try to enter some value into a field which doesnt exist in the corresponding Check table of the field, ALV throws me an error. This scenario is working fine. But in some scenarios I populate the ALV table fr

  • Could not connect to SQL Server 2012 Remotely

    Hello,  I have a situation as follows: The Server SQL Server 2012 Standard Edition installed on Windows Server 2012 Standard Edition Active Directory is installed on the same server as well Remote Access Role added and configured to connect VPN  DNS

  • Two apps running, but the Dock doesn't seem to know about them

    In the last couple of days I have quit and restarted Firefox and then Safari.  Both apps are up and running with multiple windows and tabs open, but according to the Dock they are not running.  The light is not lit up next to the app icon, and when y

  • FI-FM - How to reconciliate FI invoice to FM ?

    Hello, I have an invoice with lines which impact FM and lines without impact on FM (commitments which are not relevant to budget). I deleted the FM link in the invoice by using the program RFFMDLFI to check some reports. But now i would like to resto

  • RPC ERROR

    Hi experts    im going through the error i.e. RPC server is unavailebel i m not getting this error and what to do so pls kindely help me with this ...... Regards : Pankaj .