07-02-2009 03:40 AM - edited 03-08-2019 06:28 PM
This article aims to educate the user on how to initially set up the CSC-SSM module in his ASA using CLI. After reading this article carefully one should be able to go through the initial set up and in the end have a functional SSM module. ASDM can also be used for that purpose too as presented here.
The CSC-SSM is a module is a module that will be inserted in the slot on the front of an an ASA 5510, 5520, 5540, 5550. The first time that the module is inserted in the slot of the ASA the ASA has to be shut down and rebooted. After this first reload, the CSC is considered hot-swappable.
After being inserted in the slot the CSC has to be provided with network access. The user has to use the module's external Ethernet port to give the module access to the internet. The module is recommended to be treated like a host in the inside network. It has to be part of the LAN and have internet connectivity to be able to pull pattern updates and communicate with Trend servers. After the Ethernet cable of the CSC is plugged in, the port's network settings (ip addresses etc) will be set up in the section that follows.
The initial network and license set up on the CSC, can be done from the ASA using the command "session 1". The default username and password to log in the CSC are both cisco. This will take the user through a number of interactive steps do the configuration. These will include
The steps will look something like the following (note that all the settings use random addresses and license codes).
CSC-ASA# sess 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
login: cisco
Password:
The password has expired.
You are required to change your password immediately
Changing password for cisco
(current) password:
New password:
Retype new password:
Trend Micro InterScan for Cisco CSC SSM Setup Wizard
---------------------------------------------------------------------
To set up the SSM, the wizard prompts for the following information:
1. Network settings
2. Date/time settings verification
3. Incoming email domain name
4. Notification settings
5. Activation Codes
The Base License is required to activate the SSM.
Press Control-C to abort the wizard.
Press Enter to continue ...
Network Settings
---------------------------------------------------------------------
Enter the SSM card IP address: 172.18.124.237
Enter subnet mask: 255.255.255.0
Enter host name: my-csc-ssm
Enter domain name: cisco.com
Enter primary DNS IP address: 172.18.108.43
Enter optional secondary DNS IP address:
Enter gateway IP address: 172.18.124.1
Do you use a proxy server? [y|n] n
Network Settings
---------------------------------------------------------------------
IP 172.18.124.237
Netmask 255.255.255.0
Hostname my-csc-ssm
Domain name cisco.com
Primary DNS 172.18.108.43
Gateway 172.18.124.1
No Proxy
Are these settings correct? [y|n] y
Applying network settings ...
Do you want to confirm the network settings using ping? [y|n] n
Date/Time Settings
---------------------------------------------------------------------
SSM card date and time: 11/21/2008 19:16:32
The SSM card periodically synchronizes with the chassis.
Is the time correct? [y|n] y
Incoming Domain Name
---------------------------------------------------------------------
Enter the domain name that identifies incoming email messages: (default:cisco.com)
Domain name of incoming email: cisco.com
Is the incoming domain correct? [y|n] y
Administrator/Notification Settings
---------------------------------------------------------------------
Administrator email address: admin-4-csc@cisco.com,
Notification email server IP: 172.18.108.45
Notification email server port: (default:25)
Administrator/Notification Settings
---------------------------------------------------------------------
Administrator email address: admin-4-csc@cisco.com
Notification email server IP: 172.18.108.45
Notification email server port: 25
Are the notification settings correct? [y|n] y
Activation
---------------------------------------------------------------------
You must activate your Base License, which enables you to update
your virus pattern file. You may also activate your Plus License.
Activation Code example: BV-43CZ-8TYY9-D4VNM-82We9-L7722-WPX41
Enter your Base License Activation Code: PX-DUMM-DUMMY-DUMMY-DUMMY-DUMMY-DUMMY
Base License activation is successful.
(Press Enter to skip activating your Plus License.)
Enter your Plus License Activation Code: PX-DUMM-DUMMY-DUMMY-DUMMY-DUMMY-DUMMY
Plus License activation is successful.
Activation Status
---------------------------------------------------------------------
Your Base License is activated.
Your Plus License is activated.
Stopping services: OK
Starting services: OK
The Setup Wizard is finished.
Please use your Web browser to connect to the management console at:
https://172.18.124.237:8443
Press Enter to exit ...
Remote card closed command session. Press any key to continue.
Command session with slot 1 terminated.
Then by browsing to https://172.18.124.237:8443 the user can have access to the CSC graphical user interface to configure the module.
Now, what is left is to have the ASA forward traffic through the CSC-SSM module for the security inspections to take place. We will use an access list (ACL) to identify the traffic (HTTP, SMTP, POP3, FTP) to be sent to the module. We will exclude the module's own traffic from being inspected in the ACL, for performance purposes (it is unnecessary for the traffic generated by the module to be inspected). The ACL will be used in a class-map to match traffic and the class-map in turn will be used in a policy-map. In our example the action for the class in the policy-map will be "csc fail-open" which means that in case the CSC fails all traffic that should be inspected will be passed uninspected. The corresponding "csc fail-close" will drop all traffic to the CSC in case the CSC fails. Finally a service-policy will apply the policy-map for all the inspections to take place. The above configuration would be like the following (the CSC ip address will be as 172.18.124.237 in the previous section):
access-list csc-acl extended deny ip host 172.18.124.237 any
access-list csc-acl extended permit tcp any any eq www
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl extended permit tcp any any eq ftp
class-map csc-class
match access-list csc-acl
policy-map global_policy
class csc-class
csc fail-open
service-policy global_policy global
To verify that the settings are applied and the CSC is functional the user can run a few commands on the ASA. "show module 1 detail" will show the status of the module
CSC-ASA# sh modu 1 det
Getting details from the Service Module, please wait...
ASA 5500 Series Content Security Services Module-10
Model: ASA-SSM-CSC-10
Hardware version: 1.0
Serial Number: JADUMMYDUMM
Firmware version: 1.0(10)0
Software version: CSC SSM 6.2.1599.0
MAC Address Range: dumm.dumm.dumm to dumm.dumm.dumm
App. name: CSC SSM
App. Status: Up
App. Status Desc: CSC SSM scan services are available
App. version: 6.2.1599.0
Data plane Status: Up
Status: Up
HTTP Service: Up
Mail Service: Up
FTP Service: Up
Activated: Yes
Mgmt IP addr: 172.18.124.237
Mgmt web port: 8443
Peer IP addr: <not enabled>
And while passing traffic (web,smtp,pop3,ftp) "sh conn | i X" will show the active connections that are being inspected by the CSC.
CSC-ASA# sh conn | include X
TCP out 10.0.1.2:18610 in 10.0.0.3:25 idle 0:52:28 bytes 988 flags UfIOXB
TCP out 10.0.58.16:80 in 10.0.0.238:55393 idle 0:00:00 bytes 2578 flags UIOX
TCP out 10.23.6.4:80 in 10.0.0.238:55391 idle 0:00:00 bytes 4310 flags UIOX
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: