We help IT Professionals succeed at work.

Content Filtering on the ASA5510

denver218 asked
I have a customer who is currently using a Pix 506E.  Since this device is reaching its end-of-life I am going to replace this Pix with an ASA5510.  This client wants Content Filtering to be a feature on the new firewall.  They want to be able to block streaming media, nudity, social networking sites, etc.  What kind of license or module must I use on the ASA to allowing me to do content filtering as well on this ASA.  I was reading about the Content Security and Control Security Services Module below:  Seems expensive.

Is there other ways to do this besides purchasing the module like maybe websense?  is there a special license needed for it?  Thanks
Watch Question


Web sense works really well with the ASA. I could go that route over the SSM if you can afford it.

The license you get depends on how many users are behind it.

CSC-SSM-10 comes with 50 Users But can handle: • 100 Users, 250 Users, 500 Users with additional licensing.
Plus license: Adds anti-spam, anti-phishing, URL blocking/filtering and content control
CSC-SSM-20 comes with 500 Users But can handle: 500 Users, 750 Users, 1000 Users  with additional licensing.

Obviously, the SSM-20 has better performance.
Hi Denver,

You can configure URL filtering using regex(regular expressions) or by using Websense server.

Here is the document for url filtering using regex:

Here is the document for url filtering using Websense:

For blocking P2p traffic, this can be done using AIP SSM. You may find all p2p related signatures in:

Hope this helps.


I am looking into the CSC-SSM-10.  I have been able to find pricing on this module, but I have been unable to find out how much the yearly subscription costs.  Can anyone point me to a link that shows the yearly subscription costs?

Also, this client wants a pair of 5510s configured on Active/Standby.  Does the CSC-SSM support an active/stanby configuration.  I know I would have to buy a second CSC-SSM-10 for the standby ASA and probably a subscription for this as well.  

So in the end my client wants to be able to do everything that the pix did for them, which is NAT/PAT, ACL, VPN, etc, as well as add a module for content filtering, and have an Active/Standby configuration for redundancy.  The ASA5510s with the CSC module should accomplish this right?
It's hard to give you a price for yearly costs since it can vary greatly vendor to vendor. Check out this part from CDW:


The ASA can handle everything you need.

If Advanced Inspection and Prevention Security Services Module (AIP-SSM) or Content Security and Control Security Services Module (CSC-SSM) are used in active and standby units, then it operates independently of the ASA in terms of failover. Modules must be configured manually in active and standby units, the failover will not replicate the module configuration.

In terms of failover, both ASA units that have AIP-SSM or CSC-SSM modules must be of the same hardware type. For example, if the primary unit have the ASA-SSM-10 module, the secondary unit must have the ASA-SSM-10 module.

In order to replace the AIP-SSM module on a failover pair of ASAs, you must run the hw-module module 1 shutdown command before you remove the module. In addition, the ASA must be powered down as the modules are not hotswapable. For more information on how to install and remove AIP-SSM, refer to Installation and Removal Instructions.




Explore More ContentExplore courses, solutions, and other research materials related to this topic.