• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 732
  • Last Modified:

How to configure ASA to allow traffic from internal host to go to internet bypassing the CSC Module

How to configure ASA5510  to allow traffic from internal host to go to internetwithout being scanned by the CSC Module
0
er_vik
Asked:
er_vik
1 Solution
 
skpruettCommented:
In general you simply define a service policy for the CSC that explicitly prevents the traffic for that internal host from going to the CSC module for scanning.

In practice, those service policies usually show up as an access-list in command line, so your fix would look like this:
access-list csc_out deny ip host 192.168.10.10 any
access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 21
access-list csc_out deny tcp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 eq 80
access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 80
access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 110

class-map csc_outbound_class
     match access-list csc_out

policy-map csc_out_policy
     class csc_outbound_class
     csc fail-close
     service-policy csc_out_policy interface inside


The deny statement at the beginning here would exempt 192.168.10.10 from going to the CSC module for being scanned.

For further information, take a look here:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ssm.html#wp1058664

0
 
devangshroffCommented:
uncheck CSC inspection from GUI, in CSC module.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now