HTTPS Filtering on CSC SSM-10

Hello,
One of our customers has an ASA5510 with CSC SSM-10 security module. The software version of the module is 6.6.1125.0.
Is it possible to do https filtering with this module ? The cutomer is complaining that this is not possible..., They cannot do this.
Please any help or suggestion how to assist them ?
p.s. from Cisco I've read the following:
• HTTPS Filtering
     – Able to allow or block HTTPS traffic.
     – Supports group-based and user-based HTTPS policies.
     – Includes URL blocking/URL exception list support for HTTPS domains.
Thank you and best regards,
Ilir

This should help:
http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc1.html

Similar Messages

  • Simple question about CSC-SSM

    Hi,
    I must block a HTTPS website using CSC-SSM on a ASA 5520 but it looks like it won't block HTTPS traffic at all so I've been searching around and I found that "Traffic that moves through HTTPS cannot be scanned for viruses and other threats by the CSC-SSM software.".
    Anyone has sucessfully blocked HTTPS traffic using CSC-SSM?
    Which other blocking methods would you recommend? ASA's URL filtering?
    Thanks in advice.
    Guilherme

    hi Guilherme
    the idea with https it is a secured http with sslor tls which is the same idea with vpn/IPSEC where the traffic is tunnled and cannot be inspected before get devrypted
    which wshould be the same with all vendors
    if u can inspect the https and scan it then it is not secure enough !! right :)
    good luck
    if helpful Rate

  • Can't Send or Receive Email from Exchange behind ASA 5510 with CSC SSM

    We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM.  We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. Here is a copy of my config:  Any Help would be appreciated.
    show config
    : Saved
    : Written by enable_15 at 07:17:44.760 CST Wed Jan 18 2012
    ASA Version 8.4(3)
    names
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 216.XXX.XXX.XXX 255.XXX.XXX.XXX
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.5 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    <--- More --->
      no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    shutdown
    nameif management
    security-level 100
    no ip address
    management-only
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    object network obj-192.168.5.0
    subnet 192.168.5.0 255.255.255.0
    object network obj-192.168.0.0
    subnet 192.168.0.0 255.255.255.0
    <--- More --->
    object network obj-192.168.9.2
    host 192.168.9.2
    object network obj-192.168.1.65
    host 192.168.1.65
    object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0
    object network obj-192.168.2.0
    subnet 192.168.2.0 255.255.255.0
    object network obj-192.168.3.0
    subnet 192.168.3.0 255.255.255.0
    object network obj-192.168.6.0
    subnet 192.168.6.0 255.255.255.0
    object network obj-192.168.8.0
    subnet 192.168.8.0 255.255.255.0
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq ftp
    port-object eq www
    port-object eq pop3
    port-object eq smtp
    object-group network Red-Condor
    description Email Filtering
    network-object host 66.234.112.69
    network-object host 66.234.112.89
    object-group service NetLink tcp
    <--- More --->
      port-object eq 36001
    object-group network AECSouth
    network-object 192.168.11.0 255.255.255.0
    object-group service Email_Filter tcp-udp
    port-object eq 389
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_TCP_0 tcp
    group-object Email_Filter
    port-object eq pop3
    port-object eq smtp
    object-group network Exchange-Server
    description Exchange Server
    network-object host 192.168.1.65
    access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
    access-list outside_access extended permit tcp any object obj-192.168.9.2
    access-list outside_access extended permit icmp any any
    access-list outside_access extended permit tcp any object-group Exchange-Server eq https
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
    access-list outside_access extended permit object-group TCPUDP object-group Red-Condor object-group Exchange-Server object-group Email_Filter
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit icmp any any
    <--- More --->
    pager lines 24
    logging enable
    logging console debugging
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool vpnpool 192.168.5.1-192.168.5.254 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    asdm image disk0:/asdm-647.bin
    no asdm history enable
    arp timeout 14400
    object network obj-192.168.9.2
    nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
    object network obj-192.168.1.65
    nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
    object network obj-192.168.1.0
    nat (inside,outside) dynamic interface
    object network obj-192.168.2.0
    nat (inside,outside) dynamic interface
    object network obj-192.168.3.0
    <--- More --->
      nat (inside,outside) dynamic interface
    object network obj-192.168.6.0
    nat (inside,outside) dynamic interface
    object network obj-192.168.8.0
    nat (inside,outside) dynamic interface
    access-group outside_access in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.XXX 1
    route inside 192.168.0.0 255.255.0.0 192.168.0.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server isaconn protocol radius
    aaa-server isaconn (inside) host 192.168.1.9
    timeout 5
    key XXXXXXX
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    <--- More --->
    http server enable
    http 192.168.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set AEC esp-des esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca server
    shutdown
    <--- More --->
      smtp from-address [email protected]
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate
      quit
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.0.0 255.255.0.0 inside
    telnet timeout 5
    ssh 192.168.0.0 255.255.0.0 inside
    ssh timeout 5
    console timeout 0
    management-access inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 208.66.175.36 source outside prefer
    webvpn
    username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
    <--- More --->
    class-map global-class
    match access-list global_mpc
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
    <--- More --->
       inspect netbios
      inspect tftp
      inspect ip-options
    class global-class
      csc fail-close
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous

    Hello Scott,
    So Exchange server ip is obj-192.168.1.65 natted to 216.x.x.x
    object network obj-192.168.1.65
    "nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp"
    The ACL says
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
    access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
    From witch ip addresses are you trying to send traffic to the exchange server?
    Please do a packet-tracer and give us the output
    packet-tracer input outside tcp x.x.x.x( Outside host ip) 1025 216.x.x.x.x 25
    Regards,
    Julio
    Rate helpful posts!!!

  • Step to prep CSC SSM on ASA Active/Standby mode

    Hi all, 
    I am trying to setup Active/Standby HA mode for my site.
    Currently the site was installed with one unit ASA firewall with CSC-SSM module, the second unit is the new unit ready to be setup.
    My question:
    01. My concern is second unit CSC-SSM, what is the proper procedure or step need to prep it?
    Is it need to prep the CSC-SSM before the ASA in HA mode Or it will auto propagate the configuration when both unit in HA mode?
    What else need to concern? am i need to setup different IP for the CSC-SSM management interface?
    Thanks
    Noel

    Hello Yong,
    Configuration related to the CSC or SSM modules will never get propagated so you will basically need to configure it manually.
    Also it's not like if the Config on both modules is different failover will fail but ofcourse you wanna have the same one
    IP addresses for each of the modules will be dedicated ones. Remember that failover will fail if one box has the CSC and the other not.
    Looking for some Networking Assistance? 
    Contact me directly at [email protected]
    I will fix your problem ASAP.
    Cheers,
    Julio Carvajal Segura
    http://laguiadelnetworking.com

  • How to identifiy AIP-SSM-10 ot CSC-SSM-10 do I have ?

    how to identifiy AIP-SSM-10 ot CSC-SSM-10 do I have on my asa5520 ?

    you can find the information in this link
    http://www.cisco.com/en/US/products/ps6120/products_installation_guide_chapter09186a00805ad777.html

  • Password recovery for CSC-SSM

    i have CSC ssm module in my lab. i forgot its username/password and also the ip address of csc module. when i tried to do reimgine the csc module, setup asks for ip address of csc module. is there is any way to recover password without knowing the ip address of CSC module.

    This document describes how to recover a password on a Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC-SSM) or the Advanced Inspection and Prevention Security Services Module (AIP-SSM) without having to re-image the device.
    http://cisco.com/en/US/partner/products/ps6120/products_password_recovery09186a00807f5a59.shtml

  • No outbound smtp traffic via CSC SSM.

    Hallo
    I have a Problem with my ASA CSC-SSM Module (Version 6.1).
    The inspection of http and POP works fine, but i have a problem with the outbound smtp traffic.
    If i direct the SMTP Traffic via an Service Policy to my CSC Module no Mail will be send outbound.
    If i remove the ACE from my SP smtp works fine again.
    The reason why i want to inspect my outbound mailtraffic is that i want to add a disclamer to my outgoing mails.
    I read the Admin Guide but there is no example how to Configure outbound SMTP( only inbound SMTP).
    Is there something that i have to do?
    I hope someone can help me.

    Try this config:
    access-list csc_out permit tcp host 192.168.200.xxx any eq smtp ---for smtp
    access-list csc_out permit tcp 192.168.2xx.0 255.255.255.0 any eq 80
    access-list csc_out permit tcp 192.168.2xx.0 255.255.255.0 any eq pop3
    access-list csc_out permit tcp 192.168.2xx.0 255.255.255.0 any eq ftp
    class-map csc_outbound_class
    match access-list csc_out
    policy-map csc_out_policy
    class csc_outbound_class
    csc fail-close
    service-policy csc_out_policy interface inside

  • Overrun nodes license CSC-SSM-10 (100 nodes) ASA5520

    Hi all,
    I got an ASA5520 with a CSC-SSM-10 (100 nodes) in use. There are about 200 host behind.
    What happen, when the node license will be overrun. E.g. all 200 hosts are connecting through the firewall/contentfilter
    at the same time?
    Thanks,
    Norbert

    You can issue "sh csc node-count" on the ASA CLI.
    http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s2.html#wp1362072
    License upgrade notice Error Message license-upgrade-notice: Your daily node counts (daily_count) has
    exceeded your licensed seats (seats) by offset. Please upgrade your license.
    Example:
    License-upgrade-notice: Your daily node counts (300) has exceeded your licensed seats (100) by 200. Please upgrade your license.
    Explanation    This system log message is generated when CSC SSM detects more nodes connected to the CSC SSM than are specified in the current license. In addition to this message, a notification e-mail is sent to the administrator.
    •    daily_count—The daily node count that has connected to the CSC SSM •    seats—The number of seats of the CSC SSM license •    offset—The daily count minus the number of seats
    Recommended Action    Contact Cisco for a license upgrade.
    You can read the above in the csc module admin guide here: http://www.cisco.com/en/US/docs/security/csc/csc62/administration/guide/cscbook.pdf
    -KS

  • ASA5510-SEC with CSC-SSM and Plus lic

    I have setup the ASA5510-SEC with the CSC-SSM and it is working great.  What I need is to be able to provide, for the client, reports of how much time particular users spend on the Internet, where they go on the Internet etc.  Do I need more product to do this reporting?  Would also like to have email reports
    Thanks,

    I would recommend posting in netpro for this.  This community doesn't work with the ASA series.
    www.cisco.com/go/netpro

  • ASA 5520 : IP address for CSC SSM

    Hi All,
    I have an ASA 5520 with CSC SSM. I have base and plus license and want to activate it. T he IP address and gateway have to be configured on the CSC SSM. I have configured IP addresses for the INSIDE,OUTSIDE,DMZ and MGMT. The outside is a public IP address. Now for the CSC SSM what range should i give?
    There is an ISA server on the DMZ where all user IP's get PATed and on ASA this gets NATed on the ASA. Direct access to the internet exists for the servers (bypassing proxy).
    My basic doubt is about the IP address and gateway that the CSC SSM should have and is it related ot the management interface ip address?
    Thanks and Regards.
    Sonu

    Hi
    put your CSC ip address as outside interface subnet.because CSC needs automatic updates from internet.and you can able to manage CSC from remote itself.
    for EX
    your outside ip is 10.0.0.1/24,make CSC IP As 10.0.0.2/24,Gateway 10.0.0.1
    Hopes this helps
    regs
    S.Mohana sundaram

  • Cisco CSC SSM to Active directory integration issue

    Hi,
    I have configured ASA CSC SSM module for AD integration for user based access control. The domain controller Agent has been installed in AD server. But the Agent is not able to communicate to CSC module. There are errors getting generated in AD and CSC.
    There are no network layer issues between AD server and CSC. All the frewalls have been turned off. I suspect some configuration changes to be done on AD or with the Agent installation file. I have followed the configuration steps recommended by Cisco in configuring AD server and CSC module. I have attached the Log files.
    Please suggest solution for this issue. Thank you.
    With Regards,
    Madhan kumar G.

    Hi,
    Below are the suggestions from TAC engineer, which rectified issue in my case. Hope this helps your scenario.
    Ø  Verify the following
    Ø  1. The client machines should be part of the windows domain
    Ø 
    Ø  2. File Sharing should be enabled on the client machine
    Ø 
    Ø  3."Remote Registry" Service should be enabled
    Ø 
    Ø  4. On the windows firewall, select "Windows Management Instrumentation
    Ø 
    Ø  (WMI)" as exception program to allow in bound WMI calls.
    Ø 
    Ø  Also, make sure the "File and Printer Sharing" is part of the exception list.
    Ø 
    Ø  5. The client is able to ping the Agent and the Domain Controllers.

  • Trend Micro updates for CSC SSM

    Any word on if or when patch would be available for 6.3.1172 ? My ASA has only 256kb memory, and I believe it would require a memory upgrade for any further software upgrades.

    The mail and TMCM agent service is always stopped. Access to CSC-SSM via web browser is not possible, nothing happens, and ASDM is not communicating with CSC. I restarted management access port, without success. Restore to Factory settings is not possible. I get this error message:
    Restoring default settings: /opt/trend/isvw/bin/setup.bin: line 2861: /opt/trend/isvw/lib/mail/rules/UserApprovedList.txt: Read-only file system
    /opt/trend/isvw/bin/setup.bin: line 2862: /opt/trend/isvw/lib/mail/rules/UserBlockedList.txt: Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/web/intscan.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
    I try to reimage with 6.2 version, maybe this helps.
    If you have a clue tell me!
    Thank you

  • CSC-SSM license problems

    Hi,
    because of system failure i reinstalled CSC-SSM 6.1.1587.0 version. All was working. Before the reinstallation the license info was this:
    # License Information
    Product:Base License
    License profile host info check OK.
    Version:Standard
    Activation Code:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Seats:000100 !!!!!!!!!!!!!!! 100 SEATS
    Status:Activated
    Expiration date:9/20/2008 !!!!!!!
    Product:Plus License
    License profile host info check OK.
    Version:Standard
    Activation Code:xxxxxxxxxxxxxxxxx
    Status:Activated
    Expiration date:5/18/2008 !!!!!
    After the installation i entered the same BASE and PLUS license but now i have only 50 seats and the expiration date is not the same, hava a look:
    # License Information
    Product:Base License
    License profile host info check OK.
    Version:Standard
    Activation Code:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Seats:000050 !!!!!!!!!!! 50 SEATS
    Status:Activated
    Expiration date:5/18/2008 !!!!
    Product:Plus License
    License profile host info check OK.
    Version:Standard
    Activation Code:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Status:Activated
    Expiration date:5/18/2008 !!!!!!
    any idea?
    Can anyone direct me to the correct site or give a email contact.

    Hi
    Contact [email protected] with the information above, they should be able to help.
    Regards MJ

  • Upload License file to CSC-SSM usling CLI

    Hi,
    The CSC-SSM license has ben expired into my ASA 5520 having CSC-SSM module..I got the license. But as GUI is not functioning so only option left with CLI.
    Can someone guide me the steps for uploading a new license usling CLI into CSC-SSM !!!!

    The Activation/License pane lets you configure activation codes for the following two components of the CSC SSM:
    • Base License
    • Plus License
    You can use ASDM to configure CSC licenses only once each for the two licenses. Renewed license activation codes are downloaded automatically with scheduled software updates. Links to the licensing status page and the CSC UI home page appear at the bottom of this window. The serial number for the assigned license is filled in automatically

  • Which part number for CSC-SSM with Plus license?

    Dear All,
    Which part number for CSC-SSM with Plus License? i saw the part number for standard license.
    could you let me know?
    Best regards,

    Hi,
    The part number is the following:
    ASA-CSCX-YP-ZY
    where X is your CSC model, Y is the number of seats of the license and Z is the number of years.
    For instance, if you need a 2 year plus license for a CSC10 with 250 seats, the part number would be ASA-CSC10-250P-2Y
    Regards,
    Nicolas

Maybe you are looking for

  • Mail Removes Open Emails From Desktop On Shutdown

    I like to open Mail emails onto my desktop to remind me that they need to be replied to.  But beginning awhile back, maybe around Mtn Lion or so, they randomly get removed from my desktop upon shutdown or startup.  This has complicated my organizatio

  • How to Create a Custom Title in Motion for FCPx

    I would like to make something like the "torn edge" title in Fcpx with the following animation; it would move up from the horizon at the bottom of the screen, display the appropriate text for its position in the movie timeline and then drop down and

  • Web services and JPA - not a good mix?

    Hi! Sorry if this question isn't web services specific, but this forum is the closest I've found here at SDN. I'm having a bad time trying to figure out how to use JPA and web services in the same application. Problems is, some of my entities contain

  • Using Roll Over in Timeline?

    Hi I am trying to use a rollover or a click effect on a button placed in a time line. The button is in a different layer to the running time line. When I go in to up, over down, hit and insert a new frame there when the movie runs the button just fli

  • Get ORA-00368: checksum error in redo log block

    Hi all, I get an error ORA-00368: checksum error in redo log block when connecting to database and here is the error: ORA-00368: checksum error in redo log block ORA-00353: log corruption near block 430757 change 1236507302 time 11/12/2009 09:55:35 O