Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1226
Views
0
Helpful
5
Replies

ASA 5520 CSC module per subnet/ip group inspection profile

Go to solution
iskoy.istem
Level 1
Level 1

‎09-08-2011 07:36 AM - edited ‎03-11-2019 02:22 PM

Hi,

Can you please help me verify if the ASA 5520 CSC module way of applying security policy (http, smtp, pop3, etc.) is per network/subnet or group of users? Based on my understanding through reading, web and email protection profile/config is global. It will be the same to every network user that is redirected via service-policy config on the ASA.

Scenario:

I have two VLAN, guest and employee. Of course guest and employee have different web filter profile. Can i configure it such that guest web-filter profile is not just strict while employee's access is limited only to productive internet sites.

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
varrao
Level 10
Level 10

‎09-08-2011 07:40 AM

Hi Joseph,

You can apply policy for http,ftp,smtp and pop3 based on the newtork and individual hosts as well. It would be a bit more clear if you can provide an exmaple. Also when you say that the web-filter profile for guest would not be strict, what exactly do you mean by that statement.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

0 Helpful
5 Replies 5

Go to solution
iskoy.istem
Level 1
Level 1

‎09-08-2011 07:39 AM

Oh, sorry missed out the later part of the reading, hahaha! you can configure user group per IP subnet or specific IP. hahaha. but please confirm if i am right.. thanks!!!!

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to iskoy.istem

‎09-08-2011 07:42 AM

Yes, thats right it can be done for a specific user IP, an Ip subnet or username in the domain.

-Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
varrao
Level 10
Level 10

‎09-08-2011 07:40 AM

Hi Joseph,

You can apply policy for http,ftp,smtp and pop3 based on the newtork and individual hosts as well. It would be a bit more clear if you can provide an exmaple. Also when you say that the web-filter profile for guest would not be strict, what exactly do you mean by that statement.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
iskoy.istem
Level 1
Level 1
In response to varrao

‎09-08-2011 07:48 AM

"web-filter profile for guest would not be strict" - all sites will be open except blocking torrent program to establish connections outside but i think, i cannot block p2p program with ASA CSC. what i can do is prevent users from accessing torrent download sites but not block torrent traffic, right? can i also police traffic, like i will limit bandwidth per ip on the guest VLAN? thanks!

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to iskoy.istem

‎09-08-2011 08:28 AM

Hi Joseph,

Yes, you can block the torrent websites but not the torrent traffic, because if it is tunneled over https then it would not be possible to block the traffic. You can police traffic per user as well, you would first need to identify the traffic and then apply it in the policy map for rate limiting, have a look at this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#rate

Also have a look at the CSC configuration guide:

http://www.cisco.com/en/US/customer/docs/security/csc/csc62/administration/guide/csc4.html

http://www.cisco.com/en/US/customer/docs/security/csc/csc60/administration/guide/csc1.html#wp1054254

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card