Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1084
Views
0
Helpful
2
Replies

ASA 5510 transparent Mode with CSC-SSM

efrazee
Level 1
Level 1

‎05-19-2008 01:33 PM - edited ‎03-11-2019 05:47 AM

I'm implementing an ASA 5510 with the CSC-SSM module. We are using the ASA just for the CSC-SSM module functionality. Our goal is to not have to make any changes to the existing addressing. is there a way for me to implement the ASA in transparent mode but still push all traffic through the CSC-SSM module. In the past I have pushed all traffic through the CSC-SSM using a class map and ACL with source and dest ip's. How can I match all traffic while in transparent mode and send it though the CSC-SSM for inspection?

Labels:
0 Helpful
2 Replies 2

smahbub
Level 6
Level 6

‎05-23-2008 11:03 AM

A transparent firewall, is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices. The security appliance connects the same network on its inside and outside ports. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network; it is unnecessary to readdress IP.

Refer the PIX/ASA: Transparent Firewall Configuration Example document for info on Transparent mode configuration:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

Refer the following url for more info on configuring CSC-SSM MODULEon ASA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808dea62.shtml

0 Helpful

vitripat
Level 7
Level 7

‎05-23-2008 02:13 PM

There would be no change in configuring the MPF policies for sending traffic to CSC-SSM Module.

As CSC module can only inspect traffic on TCP ports 21(FTP), 25(SMTP), 80(HTTP) and 110(POP3).

//Assuming 192.168.1.10 is CSC module IP

----------------------------------------------

access-list csc-scan line 1 extended deny tcp host 192.168.1.10 any

access-list csc-scan line 2 extended permit tcp any any eq smtp

access-list csc-scan line 3 extended permit tcp any any eq pop3

access-list csc-scan line 4 extended permit tcp any any eq http

access-list csc-scan line 5 extended permit tcp any any eq ftp

class-map csc-class

match access-list csc-scan

policy-map csc-policy

class csc-class

csc fail-open

service-policy csc-policy interface inside

----------------------------------------------

Above applies CSC inspection on all outbound traffic.

Hope that helps.

Regards,

Vibhor.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card