csc questions

netsupportadmin · ‎06-11-2012

Hi,

New to CSC module, just a have a few question.

1. By default if host or subnet is not on the access-list that is tied to the policy what happens? Does it get dropped?

2. On per interface service policy access-list inside-csc tied to inside interface service policy and access-list outside-csc tier to outside interface service policy.

Do I have to have access-list for outbound traffic and its return traffic?

example

access-list inside-csc permit 192.168.1.0 255.255.255.0 any http

access-list outside-csc permit any http 192.168.1.0 255.255.255.0

Since I know 192.168.1.0 is trusted network do I need scanning from inside to outside? Should I only have

access-list outside-csc permit any http 192.168.1.0 255.255.255.0 for return traffic since return traffic is untrusted?

Jennifer Halim · ‎06-11-2012

1. No, it will not get dropped. The ACL only specifies which host/network needs to be sent towards the CSC module. If it's not specified in the ACL, it won't be sent towards the module, and just go out directly towards the Internet if it's outbound traffic.

2. Depends on what you would like to scan. If you only want to scan outbound traffic from inside to outside, then you would only need tto configure the access-list in the outbound direction, ie:

access-list inside-csc permit 192.168.1.0 255.255.255.0 any http

If you are hosting any web server and would like incoming traffic to be scanned as well, then you would configure it in the incoming direction towards the web server.

Typically people scan outgoing traffic, and configure policy so users can only access certain websites/categories, and disallowing some other categories (gambling, porn, etc).

Hope that answers your question.

netsupportadmin · ‎06-12-2012

Thanks Jennifer.

#1 Observation, We have a open ssl vpn connection and that does not work if there is we dont deny it on the acl. That is why im confused if traffic would be default allowed.

#2 We are trying to reduce load. If I do the following it would be scanned twice right?

access-list inside-csc permit 192.168.1.0 255.255.255.0 any http

access-list outside-csc permit any http 192.168.1.0 255.255.255.0

More concern about return traffic.

When you say

"Typically people scan outgoing traffic, and configure policy so users can only access certain websites/categories, and disallowing some other categories (gambling, ****, etc)."

Couldnt this be done on return traffic since policy is applied to interface independently?

ie access-list outside-csc permit any http 192.168.1.0 255.255.255.0

or does the access-list on the outside only applies to traffic initiated from the outside?

Jennifer Halim · ‎06-13-2012

#1 If you are sending traffic to the CSC module, including the open ssl vpn traffic, then it might have been blocked by the CSC module, not by the ASA. If you would like the open ssl vpn traffic to bypass the CSC module, then traffic that you send towards the CSC module needs to bypass or deny the open ssl traffic.

#2 If you are trying to reduce load, you can just scan traffic from inside to outside. It scans stateful connection, not stateless, so you don't have to worry about return traffic as if it's part of the same connection, it will be scanned.

Access-list on the outside interface only applies to traffic initiated from the outside.