Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1494
Views
0
Helpful
5
Replies

Cisco Asa 5520 - csc ssm

Go to solution
emilioj.romero
Level 1
Level 1

‎01-08-2011 04:38 PM - edited ‎03-11-2019 12:32 PM

How to filter URL which includes "https", using the csc ssm module?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎01-08-2011 04:42 PM

You can't. CSC module supports or can scan only 4 protocols - http, smtp, ftp and pop3 (80,25,21(and the associated data) and 110)

-KS

View solution in original post

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to emilioj.romero

‎01-08-2011 07:09 PM

Emilio,

CSC module with the plus license will look for content and block spam in e-mail and virus and other adware, phishing sites with http and ftp.

https traffic is encrypted so, it cannot see what is in within the packet.

Now for the exact reason that you specified we do have an enhancement defect filed: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh18404

Symptom:

When users access web pages via "https" URLs, those requests are not
being sent to the URL filter server for lookup.

Conditions:

CSC module running any code version.  URL blocking and/or
filtering enabled.

Workaround:

None known.

Further Problem Description:

This is an enhancement request to be considered for implementation
by Trend Micro.

This enh: defect is not resolved. May be sometime  in the future.  In the mean time if you do not want people to go out using 443, then only allow certain ports with an acl applied on the inside interface. This will not allow anyone to load any URL with https://.

access-list inside-acl permit tcp any any eq 80

access-list inside-acl permit tcp any any eq 21

access-list inside-acl permit tcp any any eq 25

access-list inside-acl permit udp any any eq 53

access-g inside-acl in int inside

This will only allow the above permitted in the acl and not any other traffic.

-KS

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎01-08-2011 04:42 PM

You can't. CSC module supports or can scan only 4 protocols - http, smtp, ftp and pop3 (80,25,21(and the associated data) and 110)

-KS

0 Helpful

Go to solution
emilioj.romero
Level 1
Level 1
In response to Kureli Sankar

‎01-08-2011 06:24 PM

Cisco ASA works with Websense in order to filter https traffic, when it is not being used the csc-ssm module. I thought I woult be able to filter https traffic with this module, without using Websense. Now, I don’t understand what is csc-ssm module used for? When I configure the URL filtering in order not to allow the access via streaming and the user uses https instead of http protocol, then the security doesn’t work. For example, if the user writes https://www.youtube.com instead of http://www.youtube.com, he will access to the web page. How to solve this problem?

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to emilioj.romero

‎01-08-2011 07:09 PM

Emilio,

CSC module with the plus license will look for content and block spam in e-mail and virus and other adware, phishing sites with http and ftp.

https traffic is encrypted so, it cannot see what is in within the packet.

Now for the exact reason that you specified we do have an enhancement defect filed: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh18404

Symptom:

When users access web pages via "https" URLs, those requests are not
being sent to the URL filter server for lookup.

Conditions:

CSC module running any code version.  URL blocking and/or
filtering enabled.

Workaround:

None known.

Further Problem Description:

This is an enhancement request to be considered for implementation
by Trend Micro.

This enh: defect is not resolved. May be sometime  in the future.  In the mean time if you do not want people to go out using 443, then only allow certain ports with an acl applied on the inside interface. This will not allow anyone to load any URL with https://.

access-list inside-acl permit tcp any any eq 80

access-list inside-acl permit tcp any any eq 21

access-list inside-acl permit tcp any any eq 25

access-list inside-acl permit udp any any eq 53

access-g inside-acl in int inside

This will only allow the above permitted in the acl and not any other traffic.

-KS

0 Helpful

Go to solution
emilioj.romero
Level 1
Level 1
In response to Kureli Sankar

‎01-11-2011 01:01 PM

Thank you for your help.

0 Helpful

Go to solution
BEN ROBINSON
Level 1
Level 1
In response to emilioj.romero

‎11-10-2011 01:36 AM

I just ran across this question... as of CSC v6.6, you can scan HTTPS traffic with some noted caveats on browser compatibility

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card