This article aims to educate the user on how to initially set up the CSC-SSM module in his ASA using CLI. After reading this article carefully one should be able to go through the initial set up and in the end have a functional SSM module. ASDM can also be used for that purpose too as presented here.
Initial set up
The CSC-SSM is a module is a module that will be inserted in the slot on the front of an an ASA 5510, 5520, 5540, 5550. The first time that the module is inserted in the slot of the ASA the ASA has to be shut down and rebooted. After this first reload, the CSC is considered hot-swappable. After being inserted in the slot the CSC has to be provided with network access. The user has to use the module's external Ethernet port to give the module access to the internet. The module is recommended to be treated like a host in the inside network. It has to be part of the LAN and have internet connectivity to be able to pull pattern updates and communicate with Trend servers. After the Ethernet cable of the CSC is plugged in, the port's network settings (ip addresses etc) will be set up in the section that follows.
Configuring the CSC-SSM
The initial network and license set up on the CSC, can be done from the ASA using the command "session 1". The default username and password to log in the CSC are both cisco. This will take the user through a number of interactive steps do the configuration. These will include
ip address of the module
hostname of the CSC (it can be anything)
domain of emails to be scanned
administrator's email address
smtp server ip address
base license code
plus license code
The steps will look something like the following (note that all the settings use random addresses and license codes).
CSC-ASA# sess 1 Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'.
login: cisco Password:
The password has expired.
You are required to change your password immediately
Changing password for cisco
Retype new password:
Trend Micro InterScan for Cisco CSC SSM Setup Wizard
Now, what is left is to have the ASA forward traffic through the CSC-SSM module for the security inspections to take place. We will use an access list (ACL) to identify the traffic (HTTP, SMTP, POP3, FTP) to be sent to the module. We will exclude the module's own traffic from being inspected in the ACL, for performance purposes (it is unnecessary for the traffic generated by the module to be inspected). The ACL will be used in a class-map to match traffic and the class-map in turn will be used in a policy-map. In our example the action for the class in the policy-map will be "csc fail-open" which means that in case the CSC fails all traffic that should be inspected will be passed uninspected. The corresponding "csc fail-close" will drop all traffic to the CSC in case the CSC fails. Finally a service-policy will apply the policy-map for all the inspections to take place. The above configuration would be like the following (the CSC ip address will be as 172.18.124.237 in the previous section):
access-list csc-acl extended deny ip host 172.18.124.237 any access-list csc-acl extended permit tcp any any eq www access-list csc-acl extended permit tcp any any eq smtp access-list csc-acl extended permit tcp any any eq pop3 access-list csc-acl extended permit tcp any any eq ftp
class-map csc-class match access-list csc-acl
policy-map global_policy class csc-class csc fail-open
service-policy global_policy global
To verify that the settings are applied and the CSC is functional the user can run a few commands on the ASA. "show module 1 detail" will show the status of the module
CSC-ASA# sh modu 1 det Getting details from the Service Module, please wait... ASA 5500 Series Content Security Services Module-10 Model: ASA-SSM-CSC-10 Hardware version: 1.0 Serial Number: JADUMMYDUMM Firmware version: 1.0(10)0 Software version: CSC SSM 6.2.1599.0 MAC Address Range: dumm.dumm.dumm to dumm.dumm.dumm App. name: CSC SSM App. Status: Up App. Status Desc: CSC SSM scan services are available App. version: 6.2.1599.0 Data plane Status: Up Status: Up HTTP Service: Up Mail Service: Up FTP Service: Up Activated: Yes Mgmt IP addr: 172.18.124.237 Mgmt web port: 8443 Peer IP addr: <not enabled>
And while passing traffic (web,smtp,pop3,ftp) "sh conn | i X" will show the active connections that are being inspected by the CSC.
CSC-ASA# sh conn | include X TCP out 10.0.1.2:18610 in 10.0.0.3:25 idle 0:52:28 bytes 988 flags UfIOXB TCP out 10.0.58.16:80 in 10.0.0.238:55393 idle 0:00:00 bytes 2578 flags UIOX TCP out 10.23.6.4:80 in 10.0.0.238:55391 idle 0:00:00 bytes 4310 flags UIOX
We have Cisco ASA in "active-active" clusters , if there is a change of roles from master to slave (or vice versa) on any member of the cluster, there is a chance that the NAT pool ownership may not get transferred in the process. As a result, the new mas...
Every Cisco multi-context firewall allows non-admin staff to access the admin context of the firewalls.The firewall contexts (both admin and non-admin) support AAA authorisation to prevent people doing things they shouldn’t but the system space does not s...
In this episode of Unhackable, Mike Storm (@mistorm) with his co-host and producer, Sean discuss the Unhackable Principle: Authentication. This is where they talk about passwords, multi-factor authentication, and what it takes to keep you safe when you ...
Currently I have scheduled ISE backup (both configuration and operational) to run daily. The operational backups are about 10 x as big as the configuration backup, and I am wondering if there is a need to backup this up so frequently. My under...
I have a pair of Cisco 6500 running in VSS. There are many SVIs configured and they can all talk with each other without any restriction. I have a need to restrict 1 VLAN from being able to talk with other VLANs and vice versa, while still allow some basi...