|
||
| KB | 0000156 | |
| Dated | 07/12/09 | |
| Revision | 0.01 | |
Cisco CSC Module - Stop it scanning its own update traffic |
||
| Problem | ||
The CSC module when it's installed in your firewall and running, by default scans all traffic in and out including all its own updates and web traffic, this can cause quite a performance hit, to stop this happening exempt the CSC modules traffic from being scanned. NOTE: your access-lists and port groups may well have different names, so I'll list all the commands to chase them though the firewall's running config. Before you start you will need to know the IP address of your CSC module, in the following example it is 10.1.0.253 |
||
| Solution | ||
| 1. Log ito the firewall > Go to enable mode. | ||
| Petes-ASA> en Password: ********* Petes-ASA# |
||
| 2. Show the firewall's policy map "show run policy-map". | ||
| Petes-ASA1# show run policy-map ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp class global-class <<< This is what we are looking for!! csc fail-open ! Petes-ASA# |
||
| 3. Show the firewall's class maps with "show run class-map", to see what "global-class" is doing. | ||
| Petes-ASA# show run class-map ! class-map global-class match access-list global_mpc class-map inspection_default match default-inspection-traffic ! Petes-ASA# |
||
| 4. Now we know "global-class" is matching all traffic in a access-list called "global_mpc" to see what that's doing issue a "show run access-list global_mpc" command. | ||
| Petes-ASA# Petes-ASA# show run access-list global_mpc access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1 Petes-ASA# |
||
| 5. To see what protocols the CSC is scanning issue a "show run object-group id DM_INLINE_TCP_1" command. | ||
| Petes-ASA# show run object-group id DM_INLINE_TCP_1 object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq www port-object eq pop3 port-object eq smtp Petes-ASA# |
||
| 6. Now we are sure that's our CSC scanning :) we need to exclude the CSC from the access list. | ||
| Petes-ASA# configure terminal Petes-ASA(config)# access-list global_mpc line 1 deny ip host 10.1.0.253 any Petes-ASA(config)# |
||
| 7. To make sure look at the access-list again. | ||
| Petes-ASA(config)# show run access-list global_mpc access-list global_mpc extended deny ip host 10.1.0.253 any access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1 Petes-ASA(config)# |
||
| At this point you can check web traffic is flowing with a "sh conn | i x" command (Note that's a pipe symbol). | ||
If this post helped you, PLEASE take the time to +1 it.
Please be aware, all information is provided free, but it does cost me to have this site hosted, if I've helped you in any way, or saved you some time/cost please take time to make a donation. If you have anything to add to an article, or have an article you would like us to publish please feel free to contact PeteNetLive. (Please be aware I get a LOT of email, I cannot assist and fix everyone's problems, please do not be offended if you do not get a response). |
||
| References - Credits - Or External Links | ||
| NA | ||
PeteNetLive ©2011