https://community.cisco.com/t5/network-security/asa-content-security-module-anti-x-issue/m-p/867894#M421584 <P>Is there a way to configure the Anti-X module such as I can filter the web content based on source VLAN or subnet? I need to implement something like that and can?t find how to do it.</P> Fri, 21 Feb 2020 09:41:14 GMT rommel-peraza 2020-02-21T09:41:14Z https://community.cisco.com/t5/network-security/asa-content-security-module-anti-x-issue/m-p/867894#M421584 <P>Is there a way to configure the Anti-X module such as I can filter the web content based on source VLAN or subnet? I need to implement something like that and can?t find how to do it.</P> Fri, 21 Feb 2020 09:41:14 GMT https://community.cisco.com/t5/network-security/asa-content-security-module-anti-x-issue/m-p/867894#M421584 rommel-peraza 2020-02-21T09:41:14Z https://community.cisco.com/t5/network-security/asa-content-security-module-anti-x-issue/m-p/867895#M421585 <HTML><HEAD></HEAD><BODY><P>Traffic for CSC inspection is done using the Modular Policy Framework commands to create a service-policy</P><P>General modular policy info is here</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mpc.html" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mpc.html</A></P><P></P><P>The service policy you create sends traffic to the CSC for inspection</P><P>The service policy identifies traffic using one or more class-maps </P><P>Class-maps can use an access-list to match interesting traffic</P><P></P><P>So it's up to how creative you can get with your access-list really. </P><P></P><P>Info here should be of some help</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html#wp1058664" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html#wp1058664</A></P><P></P><P>Here's an extremely basic example to hopefully get you going that inspects only http traffic initiated from the 10.1.1.0/24 subnet</P><P></P><P> access-list MATCH_CSC extended permit ip 10.1.1.0 255.255.255.0 any eq http</P><P> </P><P> class-map MATCH_CSC_CLASS</P><P> match access-list MATCH_CSC </P><P> </P><P> policy-map CSC_POLICY</P><P> class MATCH_CSC_CLASS</P><P> csc fail-close</P><P> </P><P> service-policy CSC_POLICY global</P><P></P><P></P><P>Hope this helps</P></BODY></HTML> Mon, 17 Sep 2007 09:52:13 GMT https://community.cisco.com/t5/network-security/asa-content-security-module-anti-x-issue/m-p/867895#M421585 GRAEME DANIELSON 2007-09-17T09:52:13Z https://community.cisco.com/t5/network-security/asa-content-security-module-anti-x-issue/m-p/867896#M421586 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>Thanks for your answer, I maybe didn?t write well what I really need. I need that the all traffic passing through the ASA to be inspected by the CSC and it?s already done actually using ACL and policy maps as you say; now once the traffic is sent it to the CSC I need to "clasify" the filters based on the source Vlan or Subnet.</P><P></P><P>Example:</P><P></P><P>Sales manager from vlan 2 can see sport news on the web but a Human Resources employee(from vlan 3) only can get in the Organization web site and financial web pages.</P><P></P><P>Can it be done?</P><P></P><P>Thanks again </P></BODY></HTML> Mon, 17 Sep 2007 13:39:18 GMT https://community.cisco.com/t5/network-security/asa-content-security-module-anti-x-issue/m-p/867896#M421586 rommel-peraza 2007-09-17T13:39:18Z https://community.cisco.com/t5/network-security/asa-content-security-module-anti-x-issue/m-p/867897#M421587 <HTML><HEAD></HEAD><BODY><P>OK I don't believe there is that level of granular control within the CSC. The closest I think would be to exclude selected internal IP address ranges from all URL filtering i.e. they can go anywhere.</P><P>I think you need something like a Websense service which the ASA can query for it's URL filtering decisions. Not sure about it's co-existence with the CSC though.</P></BODY></HTML> Tue, 18 Sep 2007 00:05:55 GMT https://community.cisco.com/t5/network-security/asa-content-security-module-anti-x-issue/m-p/867897#M421587 GRAEME DANIELSON 2007-09-18T00:05:55Z https://community.cisco.com/t5/network-security/asa-content-security-module-anti-x-issue/m-p/867898#M421588 <HTML><HEAD></HEAD><BODY><P>Thank you very much for your help.</P></BODY></HTML> Tue, 18 Sep 2007 05:58:38 GMT https://community.cisco.com/t5/network-security/asa-content-security-module-anti-x-issue/m-p/867898#M421588 rommel-peraza 2007-09-18T05:58:38Z