KB ID 0000156 Dtd 04/02/14
The CSC module when it's installed in your firewall and running, by default scans all traffic in and out including all its own updates and web traffic, this can cause quite a performance hit, to stop this happening exempt the CSC modules traffic from being scanned.
NOTE: your access-lists and port groups may well have different names, so I'll list all the commands to chase them though the firewall's running config.
Bypass the Cisco CSC Module for 1 IP address
1. Log into the firewall > Go to enable mode.
Petes-ASA> enable Password: ********* Petes-ASA#
2. Show the firewall's policy map "show run policy-map".
Petes-ASA1# show run policy-map ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp class global-class <<< This is what we are looking for!! csc fail-open ! Petes-ASA#
3. Show the firewall's class maps with "show run class-map", to see what "global-class" is doing.
Petes-ASA# show run class-map ! class-map global-class match access-list global_mpc class-map inspection_default match default-inspection-traffic ! Petes-ASA#
4. Now we know "global-class" is matching all traffic in a access-list called "global_mpc" to see what that's doing issue a "show run access-list global_mpc" command.
Petes-ASA# Petes-ASA# show run access-list global_mpc access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1 Petes-ASA#
5. To see what protocols the CSC is scanning issue a "show run object-group id DM_INLINE_TCP_1" command.
Petes-ASA# show run object-group id DM_INLINE_TCP_1 object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq www port-object eq pop3 port-object eq smtp Petes-ASA#
6. Now we are sure that's our CSC scanning :) we need to exclude the CSC from the access list.
Petes-ASA# configure terminal Petes-ASA(config)# access-list global_mpc line 1 deny ip host 10.1.0.253 any Petes-ASA(config)#
7. To make sure look at the access-list again.
Petes-ASA(config)# show run access-list global_mpc access-list global_mpc extended deny ip host 10.1.0.253 any access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1 Petes-ASA(config)#
At this point you can check web traffic is flowing with a "sh conn | i x" command (Note that's a pipe symbol).
Check Traffic is Bypassing the Cisco CSC Module
You can do this with a simple packet-tracer command, in the SSM-DIVERT section look for deny=true.
Petes-ASA(config)# packet-tracer input inside tcp 10.1.0.253 www 18.104.22.168 www -----------Output Removed to Save Space----------- Phase: 7 Type: SSM-DIVERT Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: inÂ id=0xadccb148, priority=51, domain=ssm-isvw, deny=true hits=1, user_data=0xae658708, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0 dscp=0x0 input_ifc=inside, output_ifc=any -----------Output Removed to Save Space-----------
Related Articles, References, Credits, or External Links
Original article written: 07/12/09