Chapter 19 Managing the AIP SSM and CSC SSM
Checking SSM Status
Example 19-1is based on the network shown in Figure 19-3. It creates two service policies. The first policy, csc_out_policy, is applied to the inside interface and uses the csc_out access list to ensure that all outbound requests for FTP and POP3 are scanned. The csc_out access list also ensures that HTTP connections from inside to networks on the outside interface are scanned but it includes a deny ACE to exclude HTTP connections from inside to servers on the DMZ network.
The second policy, csc_in_policy, is applied to the outside interface and uses the csc_in access list to ensure that requests for SMTP and HTTP originating on the outside interface and destined for the DMZ network are scanned by the CSC SSM. Scanning HTTP requests protects the web server from HTTP file uploads.
Example 19-1 Service Policies for a Common CSC SSM Scanning Scenario
hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 21
hostname(config)# access-list csc_out deny tcp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 eq 80 hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 80 hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 110
hostname(config)# class-map csc_outbound_class hostname(config-cmap)#match access-list csc_out
hostname(config)# policy-map csc_out_policy hostname(config-pmap)#class csc_outbound_class hostname(config-pmap-c)#csc fail-close
hostname(config)# service-policy csc_out_policy interface inside
hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 25 hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80
hostname(config)# class-map csc_inbound_class hostname(config-cmap)#match access-list csc_in
hostname(config)# policy-map csc_in_policy hostname(config-pmap)#class csc_inbound_class hostname(config-pmap-c)#csc fail-close
hostname(config)# service-policy csc_in_policy interface outside
Note FTP inspection must be enabled for CSC SSM to scan files transferred by FTP. FTP inspection is enabled by default.
Checking SSM Status
To check the status of an SSM, use the show module command.
The follow example output is from an adaptive security appliance with a CSC SSM installed. The Status field indicates the operational status of the SSM. An SSM operating normally has a status of “Up” in the output of the show module command. While the adaptive security appliance transfers an application image to the SSM, the Status field in the output reads “Recover”. For more information about possible statuses, see the entry for the show module command in the Cisco Security Appliance Command Reference.
| | Cisco Security Appliance Command Line Configuration Guide | | |
| | |
| OL-8629-01 | | | 19-13 | |
| | | |
