Cisco CSC Module Error – Activation Warning

KB ID 0000392 

Problem

You try to connect to your Cisco CSC module, and see the following error.

Error: Activation Warning CSC is not activated. Please run setup wizard under Configuration > Trend Micro Content Security > CSC Setup > Wizard Setup to perform setup process. Click OK button to to to Trend Micro Content Security Setup wizard.

Naturally if you’ve never setup the CSC you are going to see this, but what if it suddenly starts doing this?

Solution

1. Connect to the ASA that the CSC module is in.

2. Issue the following command,

[box]sh modu 1 det[/box]

3. This ones unresponsive, it probably just need restarting, to do that issue the following command.

[box]hw-module module 1 reset[/box]

4. They can take a little while to come up (apply the cup of coffee rule). Then to see if it’s back up again use the same command you used earlier.

[box]sh mod 1 det[/box]

That didn’t work! Sometimes CSC modules do fail!, I had one client go through three in a year, If doing the above or running through the setup wizard (you did write down the licence numbers that came with the CSC didn’t you?) doesn’t work then you need to log a call to TAC.

 

Related Articles, References, Credits, or External Links

Cisco CSC Module stop it scanning its own update traffic

Cisco ASA 5500 – Install and Configure a CSC Module

KB ID 0000731 

Problem

The Cisco CSC module provides ‘in line’ scanning of POP3, SMTP, HTTP and FTP traffic, to protect against viruses but also for anti spam and anti phish (with the correct licensing).

If you are familiar with Trend products, you will like it, (because that’s what it runs), and the interface is much the same as Trend IWSS.

It is a hardware device that plugs into the back of the ASA, and comes in two flavours.

1. CSC-SSM-10 (50 to 500 users, depending on licenses) for ASA 5510 and 5520.

2. CSC-SSM-20 (500 to 100 users, depending on licenses) for ASA 5510, 5520, and 5540.

In addition to licensing the amount of users, you can also buy a Plus License, this enables anti-spam, anti-phish, URL filtering, and blocking control. Note: This license expires and must be renewed annually).

Solution

Some licenses on the CSC are time specific, I would consider setting the ASA’s internal clock before you start.

Set the ASA to get time from an External NTP Server

Step 1: License the Cisco CSC Module

1. Connect to the ASA via command line, go to enable mode and issue the following command;


From the output you should be able to get the serial number of the CSC module (write it down).

2. In the box with the CSC/ASA should be an envelope containing the PAK for the CSC module, write that number down as well.

3. Go to the Cisco license portal here, Note: If you do not have a Cisco CCO account you may need to create one. Enter your PAK code > Fulfill Single PAK.

Note: If you have multiple PAK codes, you can do them at once with the ‘Load more PAK’s’ button, this may be the case if you also have a ‘plus’ license to add.

4. Enter the serial number of your CSC module and the person/company from whom you bought it > Next.

5. It should display your valid email address (from your CCO account). Tick the box to accept the terms and conditions > Get License.

6. Scroll down and accept, then select DOWNLOAD, (that way you wont have to wait for it to be emailed to you).

7. Open the license file (will have a .lic extension) with notepad and you should see two keys.

Step 2: Setup the CSC Module

Note: Here I’m going to simply set up inspection of everything on all interfaces, this might not be what you want, i.e. if theres no mail server in the DMZ why would you want to inspect all DMZ traffic for SMTP.

1. Connect to the firewall’s ASDM console > Trend Micro Content Security > It should point you straight to the setup wizard.

9. Enter the base and plus license codes. Note: The plus license code that comes with the CSC is just an evaluation one, if you have purchased a plus license separately, then paste THAT code in instead.

10. Enter the network settings you require for the CSC (it requires its own network connection). it has a single RJ45 network socket on the CSC modules back plane, connect that to your LAN > Next.

11. Supply a name for the CSC module and details of your email server (if you require email notification) > Next > enter the IP addresses that will be allowed access to the CSC web console > Next > Change the password Note: The original password will be cisco > Next.

12. Select what traffic you want to inspect, here I’ve selected all traffic all interfaces > Ive set the CSC to fail open (if theres a problem it simply passes traffic, if you have it on fail close and the CSC encounters a problem all http, smtp, ftp, and pop traffic will be blocked until the problem is resolved) > OK > Next.

13. Review the settings > Finish.

Note: You may get a warning if you set ‘fail open’ above that’s OK.

Connecting to and Managing the Cisco CSC Module

Although you can access the CSC settings via the ASDM, the easiest way is via its web interface, you set the IP address in step 2 number 10 above, navigate to
https://{ip-address}:8443

Note: You should now set the CSC module so that is DOES NOT scan its own update traffic, see the following article.

Cisco CSC Module – Stop it scanning its own update traffic

Adding a ‘PLUS’ License to a Cisco CSC

If you add the plus license later, you will obtain the code in the same manner as you did above (put the PAK and the CSC Serial number into the licensing portal and have it sent to you.

1. Once you have the code, open a web session to the CSC management interface https://{ip-address}:8443 > Administration > Licensing > Enter a new code.

2. Paste in the new code > Activate.

3. It may look like it has hung, wait a minuter or so, and check the licensing tab again.

Related Articles, References, Credits, or External Links

Cisco CSC Module Error – Activation Warning

Apple Devices will not Update Though Cisco ASA and CSC Module

Outlook Error 0x800CCC0F – Using POP3 To Exchange – Behind a Cisco CSC (Trend InterScan) Module

Changing the IP Address / Subnet Mask of a Cisco CSC Module

KB ID 0000781 

Problem

I had a client re-address their network this weekend, I was asked to make the relevant changes on the firewall. I know the CSC has a web interface, but as I usually work at command line I wanted to work out how to do it that way.

Solution

In the example below I will change the CSC module form 192.168.1.254/24 to 172.16.1.254/16.

1. Connect to the ASA, and check that the CSC module is up and healthy.

Note: Due the the limitations of HTML the output on you ASA will look a little neater like this.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: *******
Petes-ASA# show module 1 detail
Getting details from the Service Module, please wait...
ASA 5500 Series Content Security Services Module-10
Model: ASA-SSM-CSC-10-K9
Hardware version: 1.0
Serial Number: JAF1443AXXX
Firmware version: 1.0(11)5
Software version: CSC SSM 6.6.1125.0
MAC Address Range: d0d0.fdfe.a557 to d0d0.fdfe.a557
App. name: CSC SSM
App. Status: Up
App. Status Desc: CSC SSM scan services are available
App. version: 6.6.1125.0
Data plane Status: Up
Status: Up
HTTP Service: Up
HTTPS Service: Up
Mail Service: Up
FTP Service: Up
Activated: Yes
Mgmt IP addr: 192.168.1.254
Mgmt web port: 8443
Peer IP addr: <not enabled>

[/box]

2. Connect to the CSC module and choose option 1 (Network Settings). Note: the username is cisco and the password will be the password you use to log onto the CSC web console.

[box]

Petes-ASA# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.

login: cisco
Password:*******
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg

If you require further assistance please contact us by sending email to
export@cisco.com.

 

Trend Micro InterScan for Cisco CSC SSM Setup Main Menu
---------------------------------------------------------------------

1. Network Settings
2. Date/Time Settings
3. Product Information
4. Service Status
5. Password Management
6. Restore Factory Default Settings
7. Troubleshooting Tools
8. Reset Management Port Access Control List
9. Ping
10. Exit ...

Enter a number from [1-10]: 1

[/box]

3. Enter ‘y’ for yes to change the settings > Type in the new details (just press enter to proceed without changing any of the options).

[box]

Network Settings
---------------------------------------------------------------------

IP 192.168.1.254
Netmask 255.255.255.0
Hostname CSC
Domain name petenetlive.com
MAC address D0:D0:FD:FE:A5:57

Primary DNS 192.168.1.3

Gateway 192.168.1.1
No Proxy

Do you want to modify the network settings? [y|n] y

Network Settings
---------------------------------------------------------------------

Enter the SSM card IP address: (default:192.168.1.254)172.16.1.254
Enter subnet mask: (default:255.255.255.0) 255.255.0.0
Enter host name: (default:CSC)
Enter domain name: (default:petenetlive.com)
Enter primary DNS IP address: (default:192.168.0.3)172.16.1.10
Enter optional secondary DNS IP address:
Enter gateway IP address: (default:192.168.0.254)172.16.1.1
Do you use a proxy server? [y|n] (default:no)
Stopping services:
OK
Applying network settings ...
Starting services: OK

[/box]

4. Press Enter to return to the main menu, you can check the change was successful by selecting option 1 again, but this time enter ‘n’ when asked if you want to change anything.

[box]

Press Enter to continue ...

Trend Micro InterScan for Cisco CSC SSM Setup Main Menu
---------------------------------------------------------------------

1. Network Settings
2. Date/Time Settings
3. Product Information
4. Service Status
5. Password Management
6. Restore Factory Default Settings
7. Troubleshooting Tools
8. Reset Management Port Access Control List
9. Ping
10. Exit ...

Enter a number from [1-10]: 1

Network Settings
---------------------------------------------------------------------

IP 172.16.1.254
Netmask 255.255.0.0
Hostname CSC
Domain name petenetlive.com
MAC address D0:D0:FD:FE:A5:57

Primary DNS 172.16.1.10

Gateway 172.16.1.1
No Proxy

Do you want to modify the network settings? [y|n] n

[/box]

5. Exit the main menu, then choose reboot (Note: This reboots the module NOT the ASA.)

[box]

Trend Micro InterScan for Cisco CSC SSM Setup Main Menu
---------------------------------------------------------------------

1. Network Settings
2. Date/Time Settings
3. Product Information
4. Service Status
5. Password Management
6. Restore Factory Default Settings
7. Troubleshooting Tools
8. Reset Management Port Access Control List
9. Ping
10. Exit ...

Enter a number from [1-10]: 10

Exit Options
---------------------------------------------------------------------

1. Logout
2. Reboot
3. Return to Main Menu

Enter a number from [1-3]: 2
Please wait while rebooting.
Please wait while rebooting.
Remote card closed command session. Press any key to continue.
Command session with slot 1 terminated.

[/box]

6. You can check its status, for a while it will say its ‘unresponsive’. Eventually it will say all services are ‘up’

[box]

Petes-ASA# show module 1 detail
Getting details from the Service Module, please wait...
Unable to read details from slot 1
ASA 5500 Series Content Security Services Module-10
Model: ASA-SSM-CSC-10-K9
Hardware version: 1.0
Serial Number: JAF1443AXXX
Firmware version: 1.0(11)5
Software version: CSC SSM 6.6.1125.0
MAC Address Range: d0d0.fdfe.a557 to d0d0.fdfe.a557
App. name: CSC SSM
App. Status: Not Applicable
App. Status Desc: Not Applicable
App. version: 6.6.1125.0
Data plane Status: Not Applicable
Status: Unresponsive <<<<

Petes-ASA# show module 1 detail
Getting details from the Service Module, please wait...
ASA 5500 Series Content Security Services Module-10
Model: ASA-SSM-CSC-10-K9
Hardware version: 1.0
Serial Number: JAF1443AXXX
Firmware version: 1.0(11)5
Software version: CSC SSM 6.6.1125.0
MAC Address Range: d0d0.fdfe.a557 to d0d0.fdfe.a557
App. name: CSC SSM
App. Status: Up
App. Status Desc: CSC SSM scan services are available
App. version: 6.6.1125.0
Data plane Status: Up
Status: Up
HTTP Service: Up
HTTPS Service: Up
Mail Service: Up
FTP Service: Up
Activated: Yes
Mgmt IP addr: 172.16.1.254
Mgmt web port: 8443
Peer IP addr: <not enabled>
Petes-ASA#

[/box]

7. Finally you can check the IP address, from the web console.

Related Articles, References, Credits, or External Links

NA

Block Access to Facebook on Cisco ASA with MPF

KB ID 0000054

Problem

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the best solution.

NOTE: This can be used for any web site simply add each URL you want to block.

Solution

1. Log into your firewal,l and enter enable mode, then enter configure terminal mode.

[box]

User Access Verification

password: *******
Type help or '?' for a list of available commands. 
PetesASA> enable
Password: ******** 
PetesASA# conf t 
PetesASA(config)#

[/box]

2. The first thing we are going to do is write a “Regular Expression” that matches Facebook, (Repeat the line adding domainlist2, 3 etc for each additional domain you require to block.)

[box]

PetesASA(config)#
PetesASA(config)# regex domainlist1 "facebook.com"
PetesASA(config)#

[/box]

3. Now we are going to create a “Class-map” which will include our regular expression. (Note: for additional you would simply add multiple match commands.)

[box]

PetesASA(config)#
PetesASA(config)# class-map type regex match-any DomainBlockList
PetesASA(config-cmap)# match regex domainlist1
PetesASA(config-camp)#

[/box]

4. We are now going to create a second class map, this one is for http inspection, and uses the first class map we created, it basically says, this class map is for http inspection and will inspect for what we declared in the first class map (i.e. Inspect http traffic for any instance of facebook.com).

< p>[box]

PetesASA(config)#
PetesASA(config)# class-map type inspect http match-all BlockDomainsClass
PetesASA(config-cmap)# match request header host regex class DomainBlockList
PetesASA(config-camp)#

[/box]

5. Now to apply these class-maps we need to use a policy, the rule for policies is, you can have tons of policies but you can only apply one global policy, AND you can also have a policy for each interface, So here Ill create a policy for http inspection and use the classes we created above….

[box]

PetesASA(config)#
PetesASA(config)# policy-map type inspect http http_inspection_policy
PetesASA(config-pmap)# class BlockDomainsClass
PetesASA(config-pmap-c)# reset log
PetesASA(config-pmap-c)#

[/box]

6. Then to knit everything together, I’m going to embed this policy in my firewalls global policy.

[box]

PetesASA(config)#
PetesASA(config)# policy-map global_policy
PetesASA(config-pmap)# class inspection_default
PetesASA(config-pmap-c)# inspect http http_inspection_policy
PetesASA(config-pmap-c)#

[/box]

7. Note: Above I’ve assumed you have the default global policy, If you haven’t, this will not apply until you have applied the global_policy globally, this is done with a service-policy command, check to see if you already have this command in your config, or simply execute the command and the firewall and will tell you, like so….

Note: If it does not error then it was NOT applied 🙂

[box]

PetesASA(config)#
PetesASA(config)# service-policy global_policy global
WARNING: Policy map global_policy is already configured as a service policy
PetesASA(config)#

[/box]

8. Don’t forget the save the config with a “write mem” command.

If you want to have this on a policy of its own, applied to an interface rather than on the Global Policy here is some working code to copy and paste (Credit to Aniket Rodrigues).

[box]

regex BLOCKED_DOMAIN_1 "www.facbook.com"
access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS extended permit tcp any any eq http
class-map type regex match-any CLASS_MAP_BLOCKED_DOMAIN_LIST
match regex BLOCKED_DOMAIN_1
class-map type inspect http match-all CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
match request header host regex class CLASS_MAP_BLOCKED_DOMAIN_LIST
class-map CLASS_MAP_HTTP_TRAFFIC
match access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS
policy-map type inspect http POLICY_MAP_HTTP_INSPECTION
parameters
class CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
drop-connection log
policy-map POLICY_MAP_OUTSIDE_INTERFACE
class CLASS_MAP_HTTP_TRAFFIC
inspect http POLICY_MAP_HTTP_INSPECTION
service-policy POLICY_MAP_OUTSIDE_INTERFACE interface outside

[/box]

Related Articles, References, Credits, or External Links

NA