Cisco CSC Module – Stop it scanning its own update traffic

KB ID 0000156 

Problem

The CSC module when it’s installed in your firewall and running, by default scans all traffic in and out including all its own updates and web traffic, this can cause quite a performance hit, to stop this happening exempt the CSC modules traffic from being scanned.

NOTE: your access-lists and port groups may well have different names, so I’ll list all the commands to chase them though the firewall’s running config.

Before you start you will need to know the IP address of your CSC module, in the following example it is 10.1.0.253

Solution

Bypass the Cisco CSC Module for 1 IP address

1. Log into the firewall > Go to enable mode.

Petes-ASA> enable
Password: *********
Petes-ASA#

2. Show the firewall’s policy map “show run policy-map”.

Petes-ASA1# show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class global-class <<< This is what we are looking for!!
csc fail-open
!
Petes-ASA#

3. Show the firewall’s class maps with “show run class-map”, to see what “global-class” is doing.

Petes-ASA# show run class-map
!
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
Petes-ASA#

4. Now we know “global-class” is matching all traffic in a access-list called “global_mpc” to see what that’s doing issue a “show run access-list global_mpc” command.

Petes-ASA#
Petes-ASA# show run access-list global_mpc
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
Petes-ASA#

5. To see what protocols the CSC is scanning issue a “show run object-group id DM_INLINE_TCP_1” command.

Petes-ASA# show run object-group id DM_INLINE_TCP_1
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
Petes-ASA#

6. Now we are sure that’s our CSC scanning 🙂 we need to exclude the CSC from the access list.

Petes-ASA# configure terminal
Petes-ASA(config)# access-list global_mpc line 1 deny ip host 10.1.0.253 any
Petes-ASA(config)#

7. To make sure look at the access-list again.

Petes-ASA(config)# show run access-list global_mpc
access-list global_mpc extended deny ip host 10.1.0.253 any
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
Petes-ASA(config)#

At this point you can check web traffic is flowing with a “sh conn | i x” command (Note that’s a pipe symbol).

Check Traffic is Bypassing the Cisco CSC Module

You can do this with a simple packet-tracer command, in the SSM-DIVERT section look for deny=true.

Petes-ASA(config)# packet-tracer input inside tcp 10.1.0.253 www 123.123.123.123 www
-----------Output Removed to Save Space-----------

Phase: 7
Type: SSM-DIVERT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xadccb148, priority=51, domain=ssm-isvw, deny=true
hits=1, user_data=0xae658708, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any

-----------Output Removed to Save Space-----------

Related Articles, References, Credits, or External Links

Cisco CSC Module Error – Activation Warning

Original article written: 07/12/09

Author: Migrated

Share This Post On