Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
291
Views
0
Helpful
2
Replies

ASA CSC Module Doubt

Juan Pablo Hidalgo Villacres
Level 1
Level 1

‎11-05-2010 07:47 AM - edited ‎03-11-2019 12:05 PM

Hi everybody, I have a question for the CSC experts,

I want to know if the CSC Module with Trend Micro software will help me to allow my client's users to navigate only from 12h00 to 13h00,

I know I could configure that and that it works, but I'll explain myself a little bit, so you could help me with my doubt.

1.- As far as I know if I use a Time ACL with the ASA i could deny users to navigate (http) in a period of time, but I could not deny the users that has establish a session before, this only works with users that want to establish a new session between the period of time configure. (I have read several documents that explain that).

2.- I know that with a proxy server each connection is treated as a new session, so the CSC (that works like a proxy server) should work like this.

3.- So the problem that happens with the ASA time acl (explain in #1) doesn't happens with the CSC, is this true?. If a user that has been navigating in the hours permitted by the network administrator continues navigating in the hours not permitted he'll get a denied message or i must as the asa clear all the connections?. so when the new connection is established with the CSC the user will get http denied.

hope I explain myself and someone could clarify me this.

My client doesn't have the ASA CSC Module, I'am asking this because I need to offer him a solution.

thanks in advance.

Juan Pablo

Labels:
0 Helpful
2 Replies 2

mirober2
Cisco Employee
Cisco Employee

‎11-05-2010 09:14 AM

Hi Juan Pablo,

Yes, you can configure this behavior with the CSC module. To do this, you can configure all hours as "Work Hours", except for 1200 to 1300, which would be defined as "Leisure Hours". Then, you can configure the URL filtering function to filter all sites during Work Hours, but allow sites to be unfiltered during your Leisure Hours.

Here is a document that describes this:

http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc4.html#wp1041489

Hope that helps.

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-05-2010 09:14 AM

Time based ACLs on the ASA will also solve your problem. You are right to say that existing connection will still go through, but HTTP connections don't stay. After the page is up they are torn down. So new pages will initiate new connections and thus be subject to the time based ACL.

Still, the CSC will also solve your issue. In the module you can set Leisure and Work hors and allow HTTP pages during each period. So I would block all pages (star in the URL field) during the Work hours and allow during the leisure.

I hope it helps.

PK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card