Cisco Systems ASA 5500 Manual De Usuario
19-13
Cisco Security Appliance Command Line Configuration Guide
OL-8629-01
Chapter 19 Managing the AIP SSM and CSC SSM
Checking SSM Status
is based on the network shown in
. It creates two service policies. The first
policy, csc_out_policy, is applied to the inside interface and uses the csc_out access list to ensure that
all outbound requests for FTP and POP3 are scanned. The csc_out access list also ensures that HTTP
connections from inside to networks on the outside interface are scanned but it includes a deny ACE to
exclude HTTP connections from inside to servers on the DMZ network.
all outbound requests for FTP and POP3 are scanned. The csc_out access list also ensures that HTTP
connections from inside to networks on the outside interface are scanned but it includes a deny ACE to
exclude HTTP connections from inside to servers on the DMZ network.
The second policy, csc_in_policy, is applied to the outside interface and uses the csc_in access list to
ensure that requests for SMTP and HTTP originating on the outside interface and destined for the DMZ
network are scanned by the CSC SSM. Scanning HTTP requests protects the web server from HTTP file
uploads.
ensure that requests for SMTP and HTTP originating on the outside interface and destined for the DMZ
network are scanned by the CSC SSM. Scanning HTTP requests protects the web server from HTTP file
uploads.
Example 19-1 Service Policies for a Common CSC SSM Scanning Scenario
hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 21
hostname(config)# access-list csc_out deny tcp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 eq 80
hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 80
hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 110
hostname(config)# class-map csc_outbound_class
hostname(config-cmap)# match access-list csc_out
hostname(config)# policy-map csc_out_policy
hostname(config-pmap)# class csc_outbound_class
hostname(config-pmap-c)# csc fail-close
hostname(config)# service-policy csc_out_policy interface inside
hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 25
hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80
hostname(config)# class-map csc_inbound_class
hostname(config-cmap)# match access-list csc_in
hostname(config)# policy-map csc_in_policy
hostname(config-pmap)# class csc_inbound_class
hostname(config-pmap-c)# csc fail-close
hostname(config)# service-policy csc_in_policy interface outside
Note
FTP inspection must be enabled for CSC SSM to scan files transferred by FTP. FTP inspection is enabled
by default.
by default.
Checking SSM Status
To check the status of an SSM, use the show module command.
The follow example output is from an adaptive security appliance with a CSC SSM installed. The Status
field indicates the operational status of the SSM. An SSM operating normally has a status of “Up” in the
output of the show module command. While the adaptive security appliance transfers an application
image to the SSM, the Status field in the output reads “Recover”. For more information about possible
statuses, see the entry for the show module command in the
field indicates the operational status of the SSM. An SSM operating normally has a status of “Up” in the
output of the show module command. While the adaptive security appliance transfers an application
image to the SSM, the Status field in the output reads “Recover”. For more information about possible
statuses, see the entry for the show module command in the
Cisco Security Appliance Command
Reference
.