Link to home
Create AccountLog in
Avatar of gopher_49
gopher_49

asked on

ASA 5510 - CSC access-list question

After enabling CSC to scan http, ftp, and smtp taffic I noticed the below syntax in my config.  Is this normal?access-list outside_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_2
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq www
 port-object eq pop3
 port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
 port-object eq ftp
 port-object eq www
 port-object eq pop3
 port-object eq smtp
Avatar of Les Moore
Les Moore
Flag of United States of America image

Since both groups are identical, it looks like you configured it twice? Depending on which group is actually being used (probably #2), you should be able to remove the other group.
Avatar of gopher_49
gopher_49

ASKER

I'll give it a shot.  I'll backup my config first for it's working so well.  Do these groups have anything to do with my CSC antix module?
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
There are two sections of my CSC module.  One is for scanning smtp and one for scanning http.  At first I had it setup to only scan http and then later enabled the smtp scanning.  Do you think it's safe to get rid of one of them?