cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6702
Views
0
Helpful
19
Replies

Need to block HTTPS traffic in CSC module

alexageorge
Level 1
Level 1

Hi,

I am having an ASA5510 with a CSC-SSM-10 module. I am able to block http traffic through the ASA but cannot block https traffic through it. Can anyone please help me in blocking https traffic using the CSC module.

Regards,

Alex George

2 Accepted Solutions

Accepted Solutions

varrao
Level 10
Level 10

Hi Alex,

To block https traffic through CSC module, you need to run the version 6.6.1125.0 on the CSC module. This version is only compatible with ASA version 8.4.2 and ASDM 6.4.5, kindly go through the release notes for detailed information:

http://www.cisco.com/en/US/docs/security/csc/csc66/release/notes/cscrn66.html

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

HI,

This is one of the limitation of ASA firewall.

Https filtering it will not work with pre versions of IE-9. It will works

from IE-9 on-wards.( IE-9 does not support with Win-XP but support on wards

Vista)

Refer the CSC release guide.

Regards,

Janardhan

On Fri, Jan 27, 2012 at 2:13 PM, alexageorge <

View solution in original post

19 Replies 19

varrao
Level 10
Level 10

Hi Alex,

To block https traffic through CSC module, you need to run the version 6.6.1125.0 on the CSC module. This version is only compatible with ASA version 8.4.2 and ASDM 6.4.5, kindly go through the release notes for detailed information:

http://www.cisco.com/en/US/docs/security/csc/csc66/release/notes/cscrn66.html

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

Here, this should also help you a great deal:

http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc1.html

Thanks,

Varun

Thanks,
Varun Rao

Hi Varun,

The version of the device is the same you have mentioned. I gave facebook.com and *.facebook.com, facebook is getting blocked when accessed as http://www.facebook.com but is accessible by https://www.facebook.com.

Regards,

Alex George

Hello Alex,

Did you on the URL filtering include the HTTPS option?

Are you sure you have the same 3 versions that Varun mentioned (CSC version, ASA version, ASDM version)?

If that is correct you should be able to block it, I mean you have the rigth configuration, are you sending the HTTPS traffic to the CSC module via the ASA?

Please rate helpful posts

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

The versions are correct. The sh version and sh module all outputs are as follows:

Sh Version:

Cisco Adaptive Security Appliance Software Version 8.4(2)

Device Manager Version 6.4(5)204

Compiled on Wed 15-Jun-11 18:17 by builders

System image file is "disk0:/asa842-k8.bin"

Config file at boot was "startup-config"

Olive-ASA up 2 days 19 hours

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode        : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06

                             Number of accelerators: 1

0: Ext: Ethernet0/0         : address is e8b7.483d.0110, irq 9

1: Ext: Ethernet0/1         : address is e8b7.483d.0111, irq 9

2: Ext: Ethernet0/2         : address is e8b7.483d.0112, irq 9

3: Ext: Ethernet0/3         : address is e8b7.483d.0113, irq 9

4: Ext: Management0/0       : address is e8b7.483d.010f, irq 11

5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 100            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

VPN-DES                           : Enabled        perpetual

VPN-3DES-AES                      : Enabled        perpetual

Security Contexts                 : 2              perpetual

GTP/GPRS                          : Disabled       perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : 250            perpetual

Other VPN Peers                   : 250            perpetual

Total VPN Peers                   : 250            perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5510 Security Plus license.

Serial Number: JMX1525L293

Running Permanent Activation Key: 0x0e06f44b 0xc08d056d 0x21f329e0 0xc02054d8 0x

8004e9a2

Configuration register is 0x1

Configuration has not been modified since last system restart.

Olive-ASA#

Sh Module All:

Mod Card Type                                    Model              Serial No.

--- -------------------------------------------- ------------------ -----------

  0 ASA 5510 Adaptive Security Appliance         ASA5510            JMX1525L293

  1 ASA 5500 Series Content Security Services Mo ASA-SSM-CSC-10-K9  JAF1521BKBJ

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version

--- --------------------------------- ------------ ------------ ---------------

  0 e8b7.483d.010f to e8b7.483d.0113  2.0          1.0(11)5     8.4(2)

  1 1cdf.0f2c.77af to 1cdf.0f2c.77af  1.0          1.0(11)5     CSC SSM 6.6.1125

.0

Mod SSM Application Name           Status           SSM Application Version

--- ------------------------------ ---------------- --------------------------

  1 CSC SSM                        Up               6.6.1125.0

Mod Status             Data Plane Status     Compatibility

--- ------------------ --------------------- -------------

  0 Up Sys             Not Applicable

  1 Up                 Up

Regards,

Alex George

Hello Alex,

Correct the versions are okay, what about the other questions?

Did you include the HTTPS option on the URL filtering  ?

If that is correct you should be able to block it, I mean you have the rigth configuration, are you sending the HTTPS traffic to the CSC module via the ASA?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

I have checked the column "Include HTTPS traffic" in the URL blocking.

Also have done the follwing configuration in the ASA for passing all the traffic thru the CSC module.

access-list csc extended permit tcp any any eq https

access-list csc extended permit tcp any any eq ftp

access-list csc extended permit tcp any any eq pop3

access-list csc extended permit tcp any any eq smtp

access-list csc extended permit tcp any any eq www

access-list csc extended deny ip host 192.168.2.2 any

Regards,

Alex George

HI Alex,

First you need to send all HTTPS traffic to the CSC module. If all traffic going towards CSC module and still you are facing problem with HTTPS filtering then let me know which browser you are using.

Because HTTPS traffic filtering will support only from Internet Explorer 9.

But it is works with Firefox.

Regards,

Janardhan

Hi Janardhan,

All the traffic is passing thru the CSC module.

access-list csc extended permit tcp any any eq https

access-list csc extended permit tcp any any eq ftp

access-list csc extended permit tcp any any eq pop3

access-list csc extended permit tcp any any eq smtp

access-list csc extended permit tcp any any eq www

access-list csc extended deny ip host 192.168.2.2 any

And I'm using firefox.

Regards,

Alex George

Hi Julio,

I was able to block the https traffic by giving  *.xxxx.com (eg, *.facebook.com) in the https block option. But I am  facing another problem. I am able block the https traffic in firefox and  chrome but is able to access the site in IE. I checked in IE6 and IE8  where the sites were able to be opened.

Regards,

Alex George

Hi Janardhan,

I was able to block the https traffic by giving  *.xxxx.com (eg, *.facebook.com) in the https block option. But I am  facing another problem. I am able block the https traffic in firefox and  chrome but is able to access the site in IE. I checked in IE6 and IE8  where the sites were able to be opened.

Regards,

Alex George

HI,

This is one of the limitation of ASA firewall.

Https filtering it will not work with pre versions of IE-9. It will works

from IE-9 on-wards.( IE-9 does not support with Win-XP but support on wards

Vista)

Refer the CSC release guide.

Regards,

Janardhan

On Fri, Jan 27, 2012 at 2:13 PM, alexageorge <

Hi Janardhan,

As mentioned in the post I am still facing the problem  with filtering https traffice with SSM-CSC-10 module. And I find the  this is a drawback of the the same.

Now, I am facing a  different kind of issue. When I am trying to access sites that has not  been blocked in https filter, I am getting an SSl error mostly.

Attaching the screen shot along. Can anyone help me with this.

Regards,

Alex George

I have a customer that would like to confirm based on this post whether this is true...

"This is one of the limitation of ASA firewall.

Https filtering it will not work with pre versions of IE-9. It will works

from IE-9 on-wards.( IE-9 does not support with Win-XP but support on wards

Vista)

Refer the CSC release guide.

"

Could you please show me where it says that? I need to confirm.

Stephan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: