topic Need to block HTTPS traffic in CSC module in Network Security

Need to block HTTPS traffic in CSC module

alexageorge — Mon, 11 Mar 2019 22:02:47 GMT

Hi,

I am having an ASA5510 with a CSC-SSM-10 module. I am able to block http traffic through the ASA but cannot block https traffic through it. Can anyone please help me in blocking https traffic using the CSC module.

Regards,

Alex George

Need to block HTTPS traffic in CSC module

varrao — Fri, 16 Dec 2011 09:53:19 GMT

Hi Alex,

To block https traffic through CSC module, you need to run the version 6.6.1125.0 on the CSC module. This version is only compatible with ASA version 8.4.2 and ASDM 6.4.5, kindly go through the release notes for detailed information:

http://www.cisco.com/en/US/docs/security/csc/csc66/release/notes/cscrn66.html

Hope that helps.

Thanks,

Varun

Need to block HTTPS traffic in CSC module

varrao — Fri, 16 Dec 2011 09:57:51 GMT

Here, this should also help you a great deal:

http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc1.html

Thanks,

Varun

Need to block HTTPS traffic in CSC module

alexageorge — Sat, 17 Dec 2011 04:41:57 GMT

Hi Varun,

The version of the device is the same you have mentioned. I gave facebook.com and *.facebook.com, facebook is getting blocked when accessed as http://www.facebook.com but is accessible by https://www.facebook.com.

Regards,

Alex George

Need to block HTTPS traffic in CSC module

Julio Carvajal — Sat, 17 Dec 2011 08:21:48 GMT

Hello Alex,

Did you on the URL filtering include the HTTPS option?

Are you sure you have the same 3 versions that Varun mentioned (CSC version, ASA version, ASDM version)?

If that is correct you should be able to block it, I mean you have the rigth configuration, are you sending the HTTPS traffic to the CSC module via the ASA?

Please rate helpful posts

Regards,

Julio

Need to block HTTPS traffic in CSC module

Janardhan Meesala — Mon, 19 Dec 2011 08:54:09 GMT

HI Alex,

First you need to send all HTTPS traffic to the CSC module. If all traffic going towards CSC module and still you are facing problem with HTTPS filtering then let me know which browser you are using.

Because HTTPS traffic filtering will support only from Internet Explorer 9.

But it is works with Firefox.

Regards,

Janardhan

Need to block HTTPS traffic in CSC module

alexageorge — Thu, 22 Dec 2011 04:36:53 GMT

Hi Julio,

The versions are correct. The sh version and sh module all outputs are as follows:

Sh Version:

Cisco Adaptive Security Appliance Software Version 8.4(2)

Device Manager Version 6.4(5)204

Compiled on Wed 15-Jun-11 18:17 by builders

System image file is "disk0:/asa842-k8.bin"

Config file at boot was "startup-config"

Olive-ASA up 2 days 19 hours

Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06

Number of accelerators: 1

0: Ext: Ethernet0/0 : address is e8b7.483d.0110, irq 9

1: Ext: Ethernet0/1 : address is e8b7.483d.0111, irq 9

2: Ext: Ethernet0/2 : address is e8b7.483d.0112, irq 9

3: Ext: Ethernet0/3 : address is e8b7.483d.0113, irq 9

4: Ext: Management0/0 : address is e8b7.483d.010f, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 100 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

Security Contexts : 2 perpetual

GTP/GPRS : Disabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : 250 perpetual

Other VPN Peers : 250 perpetual

Total VPN Peers : 250 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5510 Security Plus license.

Serial Number: JMX1525L293

Running Permanent Activation Key: 0x0e06f44b 0xc08d056d 0x21f329e0 0xc02054d8 0x

8004e9a2

Configuration register is 0x1

Configuration has not been modified since last system restart.

Olive-ASA#

Sh Module All:

Mod Card Type Model Serial No.

--- -------------------------------------------- ------------------ -----------

0 ASA 5510 Adaptive Security Appliance ASA5510 JMX1525L293

1 ASA 5500 Series Content Security Services Mo ASA-SSM-CSC-10-K9 JAF1521BKBJ

Mod MAC Address Range Hw Version Fw Version Sw Version

--- --------------------------------- ------------ ------------ ---------------

0 e8b7.483d.010f to e8b7.483d.0113 2.0 1.0(11)5 8.4(2)

1 1cdf.0f2c.77af to 1cdf.0f2c.77af 1.0 1.0(11)5 CSC SSM 6.6.1125

Mod SSM Application Name Status SSM Application Version

--- ------------------------------ ---------------- --------------------------

1 CSC SSM Up 6.6.1125.0

Mod Status Data Plane Status Compatibility

--- ------------------ --------------------- -------------

0 Up Sys Not Applicable

1 Up Up

Regards,

Alex George

Need to block HTTPS traffic in CSC module

alexageorge — Thu, 22 Dec 2011 04:40:44 GMT

Hi Janardhan,

All the traffic is passing thru the CSC module.

access-list csc extended permit tcp any any eq https

access-list csc extended permit tcp any any eq ftp

access-list csc extended permit tcp any any eq pop3

access-list csc extended permit tcp any any eq smtp

access-list csc extended permit tcp any any eq www

access-list csc extended deny ip host 192.168.2.2 any

And I'm using firefox.

Regards,

Alex George

Need to block HTTPS traffic in CSC module

Julio Carvajal — Thu, 22 Dec 2011 04:41:50 GMT

Hello Alex,

Correct the versions are okay, what about the other questions?

Did you include the HTTPS option on the URL filtering ?

If that is correct you should be able to block it, I mean you have the rigth configuration, are you sending the HTTPS traffic to the CSC module via the ASA?

Regards,

Julio

Need to block HTTPS traffic in CSC module

alexageorge — Thu, 22 Dec 2011 05:00:34 GMT

Hi Julio,

I have checked the column "Include HTTPS traffic" in the URL blocking.

Also have done the follwing configuration in the ASA for passing all the traffic thru the CSC module.

access-list csc extended permit tcp any any eq https

access-list csc extended permit tcp any any eq ftp

access-list csc extended permit tcp any any eq pop3

access-list csc extended permit tcp any any eq smtp

access-list csc extended permit tcp any any eq www

access-list csc extended deny ip host 192.168.2.2 any

Regards,

Alex George

Need to block HTTPS traffic in CSC module

alexageorge — Fri, 27 Jan 2012 08:41:44 GMT

Hi Varun,

I was able to block the https traffic by giving *.xxxx.com (eg, *.facebook.com) in the https block option. But I am facing another problem. I am able block the https traffic in firefox and chrome but is able to access the site in IE. I checked in IE6 and IE8 where the sites were able to be opened.

Regards,

Alex George

Need to block HTTPS traffic in CSC module

alexageorge — Fri, 27 Jan 2012 08:42:46 GMT

Hi Julio,

Regards,

Alex George

Need to block HTTPS traffic in CSC module

alexageorge — Fri, 27 Jan 2012 08:43:23 GMT

Hi Janardhan,

Regards,

Alex George

Re: Need to block HTTPS traffic in CSC module

Janardhan Meesala — Fri, 27 Jan 2012 15:48:23 GMT

HI,

This is one of the limitation of ASA firewall.

Https filtering it will not work with pre versions of IE-9. It will works

from IE-9 on-wards.( IE-9 does not support with Win-XP but support on wards

Vista)

Refer the CSC release guide.

Regards,

Janardhan

On Fri, Jan 27, 2012 at 2:13 PM, alexageorge <

Need to block HTTPS traffic in CSC module

alexageorge — Thu, 29 Mar 2012 06:58:24 GMT

Hi All,

As mentioned in the post I am still facing the problem with filtering https traffice with SSM-CSC-10 module. And I find the this is a drawback of the the same.

Now, I am facing a different kind of issue. When I am trying to access sites that has not been blocked in https filter, I am getting an SSl error mostly.

Attaching the screen shot along. Can anyone help me with this.

Regards,

Alex George

Need to block HTTPS traffic in CSC module

alexageorge — Thu, 29 Mar 2012 07:00:13 GMT

Hi Janardhan,

As mentioned in the post I am still facing the problem with filtering https traffice with SSM-CSC-10 module. And I find the this is a drawback of the the same.

Now, I am facing a different kind of issue. When I am trying to access sites that has not been blocked in https filter, I am getting an SSl error mostly.

Attaching the screen shot along. Can anyone help me with this.

Regards,

Alex George

Need to block HTTPS traffic in CSC module

alexageorge — Thu, 29 Mar 2012 07:01:45 GMT

Hi All,

As mentioned in the post I am still facing the problem with filtering https traffice with SSM-CSC-10 module. And I find the this is a drawback of the the same.

Now, I am facing a different kind of issue. When I am trying to access sites that has not been blocked in https filter, I am getting an SSl error mostly.

Attaching the screen shot along. Can anyone help me with this.

Regards,

Alex George

Re: Need to block HTTPS traffic in CSC module

Janardhan Meesala — Sat, 30 Jun 2012 14:27:17 GMT

HI Alex George,

In the URL filtering, uncheck the unrated sites in the Generel tab.

And also check the configuration in the webreputation.

Regards,

Janardhan

Need to block HTTPS traffic in CSC module

szumbado — Tue, 18 Sep 2012 20:31:15 GMT

I have a customer that would like to confirm based on this post whether this is true...

"This is one of the limitation of ASA firewall.

Https filtering it will not work with pre versions of IE-9. It will works

from IE-9 on-wards.( IE-9 does not support with Win-XP but support on wards

Vista)

Refer the CSC release guide.

Could you please show me where it says that? I need to confirm.

Stephan

Need to block HTTPS traffic in CSC module

alexageorge — Wed, 19 Sep 2012 05:57:38 GMT

Hi Stephan,

Please find the attachement (page 10 under important notes).

http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc4.html#wp1098890

Regards,

Alex George