ASA's CSC module not scanning traffic

Discussion in 'Cisco' started by Barney Brunswick, Mar 28, 2007.

  1. hi,

    i have an ASA-5520 system running here, featuring the Content Scanning
    Module (CSC).

    the module is up and running, software and subscription registered --
    hoever, it doesn't scan emails (esmtp) or http traffic.

    policy-map global_policy
    class inspection_default
    inspect ftp
    inspect h323 h225
    inspect http
    inspect rsh
    inspect rtsp
    inspect sip
    inspect skinny
    inspect sqlnet
    inspect tftp
    inspect dns global_dns_map
    inspect icmp
    inspect icmp error
    inspect esmtp
    !
    service-policy global_policy global

    AFAICS, this should work. i read all the documentation on this issue,
    but cannot see the problem.

    i appreciate everyone helping getting the tomatoes off my eyes.

    wbr,

    barney
     
    Barney Brunswick, Mar 28, 2007
    #1
    1. Advertising

  2. Barney Brunswick

    Brian V Guest

    "Barney Brunswick" <> wrote in message
    news:...
    > hi,
    >
    > i have an ASA-5520 system running here, featuring the Content Scanning
    > Module (CSC).
    >
    > the module is up and running, software and subscription registered --
    > hoever, it doesn't scan emails (esmtp) or http traffic.
    >
    > policy-map global_policy
    > class inspection_default
    > inspect ftp
    > inspect h323 h225
    > inspect http
    > inspect rsh
    > inspect rtsp
    > inspect sip
    > inspect skinny
    > inspect sqlnet
    > inspect tftp
    > inspect dns global_dns_map
    > inspect icmp
    > inspect icmp error
    > inspect esmtp
    > !
    > service-policy global_policy global
    >
    > AFAICS, this should work. i read all the documentation on this issue, but
    > cannot see the problem.
    >
    > i appreciate everyone helping getting the tomatoes off my eyes.
    >
    > wbr,
    >
    > barney


    That is the global inspection policy applied to the ASA for all traffic.
    That is not the CSC's inpsection policy nor is it configured to send to the
    CSC. There is a link to the learning module how to do this about 1/2way down
    the page here.
    http://www.cisco.com/web/learning/le31/le29/configuring_asa_pix_security_appliances.html

    Do a search on the page for Anti-X Services
     
    Brian V, Mar 28, 2007
    #2
    1. Advertising

  3. Barney Brunswick

    udlooz

    Joined:
    Mar 28, 2007
    Messages:
    5
    get ready to start experiencing long delays to receive emails once you get it started scanning.
     
    udlooz, Mar 28, 2007
    #3
  4. >> policy-map global_policy
    >> class inspection_default
    >> inspect ftp
    >> inspect h323 h225
    >> inspect http
    >> inspect rsh
    >> inspect rtsp
    >> inspect sip
    >> inspect skinny
    >> inspect sqlnet
    >> inspect tftp
    >> inspect dns global_dns_map
    >> inspect icmp
    >> inspect icmp error
    >> inspect esmtp
    >> !
    >> service-policy global_policy global
    >>
    >> AFAICS, this should work. i read all the documentation on this issue, but
    >> cannot see the problem.
    >>
    >> i appreciate everyone helping getting the tomatoes off my eyes.
    >>
    >> wbr,
    >>
    >> barney

    >
    > That is the global inspection policy applied to the ASA for all traffic.
    > That is not the CSC's inpsection policy nor is it configured to send to the
    > CSC.


    then cisco should rework their documentation on this; it clearly says
    that it will scan all traffic by default that your user license covers...

    > There is a link to the learning module how to do this about 1/2way down
    > the page here.
    > http://www.cisco.com/web/learning/le31/le29/configuring_asa_pix_security_appliances.html
    >
    > Do a search on the page for Anti-X Services


    thanks, that helped me (not the media itself, but taking some time off
    its config file =:cool:.
     
    Barney Brunswick, Mar 29, 2007
    #4
  5. Barney Brunswick

    Brian V Guest

    "Barney Brunswick" <> wrote in message
    news:...
    >>> policy-map global_policy
    >>> class inspection_default
    >>> inspect ftp
    >>> inspect h323 h225
    >>> inspect http
    >>> inspect rsh
    >>> inspect rtsp
    >>> inspect sip
    >>> inspect skinny
    >>> inspect sqlnet
    >>> inspect tftp
    >>> inspect dns global_dns_map
    >>> inspect icmp
    >>> inspect icmp error
    >>> inspect esmtp
    >>> !
    >>> service-policy global_policy global
    >>>
    >>> AFAICS, this should work. i read all the documentation on this issue,
    >>> but cannot see the problem.
    >>>
    >>> i appreciate everyone helping getting the tomatoes off my eyes.
    >>>
    >>> wbr,
    >>>
    >>> barney

    >>
    >> That is the global inspection policy applied to the ASA for all traffic.
    >> That is not the CSC's inpsection policy nor is it configured to send to
    >> the CSC.

    >
    > then cisco should rework their documentation on this; it clearly says that
    > it will scan all traffic by default that your user license covers...
    >
    >> There is a link to the learning module how to do this about 1/2way down
    >> the page here.
    >> http://www.cisco.com/web/learning/le31/le29/configuring_asa_pix_security_appliances.html
    >>
    >> Do a search on the page for Anti-X Services

    >
    > thanks, that helped me (not the media itself, but taking some time off its
    > config file =:cool:.


    The "getting started" for the CSC couldn't be clearer. It specifically tells
    you that you need to divert the traffic from the ASA to the CSC. Maybe you
    found a different doc? The getting started guides are typically the best for
    initial setup.
    http://www.cisco.com/en/US/products..._guide_chapter09186a00805e293e.html#wp1043834
     
    Brian V, Mar 29, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    704
  2. Barney Powers
    Replies:
    0
    Views:
    593
    Barney Powers
    May 23, 2007
  3. dnash
    Replies:
    0
    Views:
    927
    dnash
    Jan 22, 2009
  4. Replies:
    1
    Views:
    570
    rameshhx
    Feb 22, 2009
  5. Ambassador Kosh
    Replies:
    1
    Views:
    2,573
    Ruairi Carroll
    Sep 2, 2009
Loading...

Share This Page