Cisco Systems ASA 5500 Manual

next previous

19-13

Cisco Security Appliance Command Line Configuration Guide

OL-8629-01

Chapter 19 Managing the AIP SSM and CSC SSM

Checking SSM Status

Example 19-1 is based on the network shown in Figure 19-3. It creates two service policies. The first

policy, csc_out_policy, is applied to the inside interface and uses the csc_out access list to ensure that

all outbound requests for FTP and POP3 are scanned. The csc_out access list also ensures that HTTP

connections from inside to networks on the outside interface are scanned but it includes a deny ACE to

exclude HTTP connections from inside to servers on the DMZ network.

The second policy, csc_in_policy, is applied to the outside interface and uses the csc_in access list to

ensure that requests for SMTP and HTTP originating on the outside interface and destined for the DMZ

network are scanned by the CSC SSM. Scanning HTTP requests protects the web server from HTTP file

uploads.

Example 19-1 Service Policies for a Common CSC SSM Scanning Scenario

hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 21

hostname(config)# access-list csc_out deny tcp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 eq 80

hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 80

hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 110

hostname(config)# class-map csc_outbound_class

hostname(config-cmap)# match access-list csc_out

hostname(config)# policy-map csc_out_policy

hostname(config-pmap)# class csc_outbound_class

hostname(config-pmap-c)# csc fail-close

hostname(config)# service-policy csc_out_policy interface inside

hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 25

hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80

hostname(config)# class-map csc_inbound_class

hostname(config-cmap)# match access-list csc_in

hostname(config)# policy-map csc_in_policy

hostname(config-pmap)# class csc_inbound_class

hostname(config-pmap-c)# csc fail-close

hostname(config)# service-policy csc_in_policy interface outside

Note FTP inspection must be enabled for CSC SSM to scan files transferred by FTP. FTP inspection is enabled

by default.

Checking SSM Status

To check the status of an SSM, use the show module command.

The follow example output is from an adaptive security appliance with a CSC SSM installed. The Status

field indicates the operational status of the SSM. An SSM operating normally has a status of “Up” in the

output of the show module command. While the adaptive security appliance transfers an application

image to the SSM, the Status field in the output reads “Recover”. For more information about possible

statuses, see the entry for the show module command in the Cisco Security Appliance Command

Reference.