Re: ASA with CSC-SSM

miwiconab · ‎04-06-2006

Hi! we are interested CSC-SSM module and have some questions about it.

1. How does CSC control the number of users, source adress maybe?

2. and is it possible point out diffrent subnets that the CSC-SSM will check for traffic, and skip some others subnets. But those skipped net will still use the ASA for internet access?

3. Does the CSC check the vpn traffic

/Regards

p.krane · ‎04-12-2006

You might want to disable password recovery to ensure that unauthorized users cannot use the password recovery mechanism to compromise the security appliance. To disable password recovery, enter the following command:

hostname(config)# no service password-recovery

On the ASA 5500 series adaptive security appliance, the no service password-recovery command prevents a user from entering ROMMON with the configuration intact. When a user enters ROMMON, the security appliance prompts the user to erase all Flash file systems. The user cannot enter ROMMON without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on using ROMMON and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available. The service password-recovery command appears in the configuration file for informational purposes only; when you enter the command at the CLI prompt, the setting is saved in NVRAM. The only way to change the setting is to enter the command at the CLI prompt. Loading a new configuration with a different version of the command does not change the setting. If you disable password recovery when the security appliance is configured to ignore the startup configuration at startup (in preparation for password recovery), then the security appliance changes the setting to boot the startup configuration as usual. If you use failover, and the standby unit is configured to ignore the startup configuration, then the same change is made to the configuration register when the no service password recovery command replicates to the standby unit.

pelitti · ‎04-13-2006

Hi,

i have a ASA 5520 without CSC-SSM, i am going to consider the 'upgrade' to csc-ssm.

I have the same question. Number of user... must i consider a user a connection to my servers (web,mail, etc) or only a connection to my users to any outside server/service ??

If you have any news...

Thank you,

regards.

Mauro

Panos Kampanakis · ‎01-19-2010

The CSC counts the number of distinct ip addresses it sees, only from interfaces different than the lowest security interface. The number is flushed every 24h. Though an outside user going to your server is coming from the lowest security interface so it is not counted as a user. If you exceed the limit the CSC will keep giving you an annoying message.

I hope it helps.

snooter · ‎01-19-2010

I have exactly the same questions as the original poster:

1. How does CSC control the number of users? What happens when traffic surpasses say the maxium of 50 AV users?

2. Is it possible point out diffrent subnets that the CSC-SSM will check for traffic, and skip some others subnets. But those skipped net will still use the ASA for internet access?

3. Does the CSC check the vpn traffic? (specifically inside SSL VPN users)

I can't find the answers to these questions anywhere in the read me's or user guides.

Thanks!

Panos Kampanakis · ‎01-19-2010

Answers bellow:

1. CSC counts the number of distinct ip addresses it sees, only from interfaces different than the lowest security interface. The number is flushed every 24h. If you exceed the limit the CSC will keep giving you an annoying message.

2. You can do that. Only ip address that match the acl that identifies traffic that will be inspected by the CSC will be CSC scanned. The ACL I am referring to is the ACL in this http://supportforums.cisco.com/docs/DOC-5668#Configuring_the_ASA_for_the_CSCSSM_ example The traffic that doesn't match this ACL is not inspected by the CSC but the ASA still processes it for its own checks.

3. No, the CSCD can scan only ports 80 (http), 25 (smtp), 110(pop3), 21 (ftp). The rest of the traffic including encrypted traffic it disregards.

I hope it helps.

PK