12-16-2011 01:32 AM - edited 03-11-2019 03:02 PM
Hi,
I am having an ASA5510 with a CSC-SSM-10 module. I am able to block http traffic through the ASA but cannot block https traffic through it. Can anyone please help me in blocking https traffic using the CSC module.
Regards,
Alex George
Solved! Go to Solution.
12-16-2011 01:53 AM
Hi Alex,
To block https traffic through CSC module, you need to run the version 6.6.1125.0 on the CSC module. This version is only compatible with ASA version 8.4.2 and ASDM 6.4.5, kindly go through the release notes for detailed information:
http://www.cisco.com/en/US/docs/security/csc/csc66/release/notes/cscrn66.html
Hope that helps.
Thanks,
Varun
01-27-2012 07:48 AM
HI,
This is one of the limitation of ASA firewall.
Https filtering it will not work with pre versions of IE-9. It will works
from IE-9 on-wards.( IE-9 does not support with Win-XP but support on wards
Vista)
Refer the CSC release guide.
Regards,
Janardhan
On Fri, Jan 27, 2012 at 2:13 PM, alexageorge <
12-16-2011 01:53 AM
Hi Alex,
To block https traffic through CSC module, you need to run the version 6.6.1125.0 on the CSC module. This version is only compatible with ASA version 8.4.2 and ASDM 6.4.5, kindly go through the release notes for detailed information:
http://www.cisco.com/en/US/docs/security/csc/csc66/release/notes/cscrn66.html
Hope that helps.
Thanks,
Varun
12-16-2011 01:57 AM
Here, this should also help you a great deal:
http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc1.html
Thanks,
Varun
12-16-2011 08:41 PM
Hi Varun,
The version of the device is the same you have mentioned. I gave facebook.com and *.facebook.com, facebook is getting blocked when accessed as http://www.facebook.com but is accessible by https://www.facebook.com.
Regards,
Alex George
12-17-2011 12:21 AM
Hello Alex,
Did you on the URL filtering include the HTTPS option?
Are you sure you have the same 3 versions that Varun mentioned (CSC version, ASA version, ASDM version)?
If that is correct you should be able to block it, I mean you have the rigth configuration, are you sending the HTTPS traffic to the CSC module via the ASA?
Please rate helpful posts
Regards,
Julio
12-21-2011 08:36 PM
Hi Julio,
The versions are correct. The sh version and sh module all outputs are as follows:
Sh Version:
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)204
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"
Olive-ASA up 2 days 19 hours
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: Ethernet0/0 : address is e8b7.483d.0110, irq 9
1: Ext: Ethernet0/1 : address is e8b7.483d.0111, irq 9
2: Ext: Ethernet0/2 : address is e8b7.483d.0112, irq 9
3: Ext: Ethernet0/3 : address is e8b7.483d.0113, irq 9
4: Ext: Management0/0 : address is e8b7.483d.010f, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 250 perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5510 Security Plus license.
Serial Number: JMX1525L293
Running Permanent Activation Key: 0x0e06f44b 0xc08d056d 0x21f329e0 0xc02054d8 0x
8004e9a2
Configuration register is 0x1
Configuration has not been modified since last system restart.
Olive-ASA#
Sh Module All:
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5510 Adaptive Security Appliance ASA5510 JMX1525L293
1 ASA 5500 Series Content Security Services Mo ASA-SSM-CSC-10-K9 JAF1521BKBJ
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 e8b7.483d.010f to e8b7.483d.0113 2.0 1.0(11)5 8.4(2)
1 1cdf.0f2c.77af to 1cdf.0f2c.77af 1.0 1.0(11)5 CSC SSM 6.6.1125
.0
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 CSC SSM Up 6.6.1125.0
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Up Up
Regards,
Alex George
12-21-2011 08:41 PM
Hello Alex,
Correct the versions are okay, what about the other questions?
Did you include the HTTPS option on the URL filtering ?
If that is correct you should be able to block it, I mean you have the rigth configuration, are you sending the HTTPS traffic to the CSC module via the ASA?
Regards,
Julio
12-21-2011 09:00 PM
Hi Julio,
I have checked the column "Include HTTPS traffic" in the URL blocking.
Also have done the follwing configuration in the ASA for passing all the traffic thru the CSC module.
access-list csc extended permit tcp any any eq https
access-list csc extended permit tcp any any eq ftp
access-list csc extended permit tcp any any eq pop3
access-list csc extended permit tcp any any eq smtp
access-list csc extended permit tcp any any eq www
access-list csc extended deny ip host 192.168.2.2 any
Regards,
Alex George
12-19-2011 12:54 AM
HI Alex,
First you need to send all HTTPS traffic to the CSC module. If all traffic going towards CSC module and still you are facing problem with HTTPS filtering then let me know which browser you are using.
Because HTTPS traffic filtering will support only from Internet Explorer 9.
But it is works with Firefox.
Regards,
Janardhan
12-21-2011 08:40 PM
Hi Janardhan,
All the traffic is passing thru the CSC module.
access-list csc extended permit tcp any any eq https
access-list csc extended permit tcp any any eq ftp
access-list csc extended permit tcp any any eq pop3
access-list csc extended permit tcp any any eq smtp
access-list csc extended permit tcp any any eq www
access-list csc extended deny ip host 192.168.2.2 any
And I'm using firefox.
Regards,
Alex George
01-27-2012 12:42 AM
Hi Julio,
I was able to block the https traffic by giving *.xxxx.com (eg, *.facebook.com) in the https block option. But I am facing another problem. I am able block the https traffic in firefox and chrome but is able to access the site in IE. I checked in IE6 and IE8 where the sites were able to be opened.
Regards,
Alex George
01-27-2012 12:43 AM
Hi Janardhan,
I was able to block the https traffic by giving *.xxxx.com (eg, *.facebook.com) in the https block option. But I am facing another problem. I am able block the https traffic in firefox and chrome but is able to access the site in IE. I checked in IE6 and IE8 where the sites were able to be opened.
Regards,
Alex George
01-27-2012 07:48 AM
HI,
This is one of the limitation of ASA firewall.
Https filtering it will not work with pre versions of IE-9. It will works
from IE-9 on-wards.( IE-9 does not support with Win-XP but support on wards
Vista)
Refer the CSC release guide.
Regards,
Janardhan
On Fri, Jan 27, 2012 at 2:13 PM, alexageorge <
03-29-2012 12:00 AM
Hi Janardhan,
As mentioned in the post I am still facing the problem with filtering https traffice with SSM-CSC-10 module. And I find the this is a drawback of the the same.
Now, I am facing a different kind of issue. When I am trying to access sites that has not been blocked in https filter, I am getting an SSl error mostly.
Attaching the screen shot along. Can anyone help me with this.
Regards,
Alex George
09-18-2012 01:31 PM
I have a customer that would like to confirm based on this post whether this is true...
"This is one of the limitation of ASA firewall.
Https filtering it will not work with pre versions of IE-9. It will works
from IE-9 on-wards.( IE-9 does not support with Win-XP but support on wards
Vista)
Refer the CSC release guide.
"
Could you please show me where it says that? I need to confirm.
Stephan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: