Cisco ASA 5500 – Install and Configure a CSC Module

KB ID 0000731 

Problem

The Cisco CSC module provides ‘in line’ scanning of POP3, SMTP, HTTP and FTP traffic, to protect against viruses but also for anti spam and anti phish (with the correct licensing).

If you are familiar with Trend products, you will like it, (because that’s what it runs), and the interface is much the same as Trend IWSS.

It is a hardware device that plugs into the back of the ASA, and comes in two flavours.

1. CSC-SSM-10 (50 to 500 users, depending on licenses) for ASA 5510 and 5520.

2. CSC-SSM-20 (500 to 100 users, depending on licenses) for ASA 5510, 5520, and 5540.

In addition to licensing the amount of users, you can also buy a Plus License, this enables anti-spam, anti-phish, URL filtering, and blocking control. Note: This license expires and must be renewed annually).

Solution

Some licenses on the CSC are time specific, I would consider setting the ASA’s internal clock before you start.

Set the ASA to get time from an External NTP Server

Step 1: License the Cisco CSC Module

1. Connect to the ASA via command line, go to enable mode and issue the following command;


From the output you should be able to get the serial number of the CSC module (write it down).

2. In the box with the CSC/ASA should be an envelope containing the PAK for the CSC module, write that number down as well.

3. Go to the Cisco license portal here, Note: If you do not have a Cisco CCO account you may need to create one. Enter your PAK code > Fulfill Single PAK.

Note: If you have multiple PAK codes, you can do them at once with the ‘Load more PAK’s’ button, this may be the case if you also have a ‘plus’ license to add.

4. Enter the serial number of your CSC module and the person/company from whom you bought it > Next.

5. It should display your valid email address (from your CCO account). Tick the box to accept the terms and conditions > Get License.

6. Scroll down and accept, then select DOWNLOAD, (that way you wont have to wait for it to be emailed to you).

7. Open the license file (will have a .lic extension) with notepad and you should see two keys.

Step 2: Setup the CSC Module

Note: Here I’m going to simply set up inspection of everything on all interfaces, this might not be what you want, i.e. if theres no mail server in the DMZ why would you want to inspect all DMZ traffic for SMTP.

1. Connect to the firewall’s ASDM console > Trend Micro Content Security > It should point you straight to the setup wizard.

9. Enter the base and plus license codes. Note: The plus license code that comes with the CSC is just an evaluation one, if you have purchased a plus license separately, then paste THAT code in instead.

10. Enter the network settings you require for the CSC (it requires its own network connection). it has a single RJ45 network socket on the CSC modules back plane, connect that to your LAN > Next.

11. Supply a name for the CSC module and details of your email server (if you require email notification) > Next > enter the IP addresses that will be allowed access to the CSC web console > Next > Change the password Note: The original password will be cisco > Next.

12. Select what traffic you want to inspect, here I’ve selected all traffic all interfaces > Ive set the CSC to fail open (if theres a problem it simply passes traffic, if you have it on fail close and the CSC encounters a problem all http, smtp, ftp, and pop traffic will be blocked until the problem is resolved) > OK > Next.

13. Review the settings > Finish.

Note: You may get a warning if you set ‘fail open’ above that’s OK.

Connecting to and Managing the Cisco CSC Module

Although you can access the CSC settings via the ASDM, the easiest way is via its web interface, you set the IP address in step 2 number 10 above, navigate to
https://{ip-address}:8443

Note: You should now set the CSC module so that is DOES NOT scan its own update traffic, see the following article.

Cisco CSC Module – Stop it scanning its own update traffic

Adding a ‘PLUS’ License to a Cisco CSC

If you add the plus license later, you will obtain the code in the same manner as you did above (put the PAK and the CSC Serial number into the licensing portal and have it sent to you.

1. Once you have the code, open a web session to the CSC management interface https://{ip-address}:8443 > Administration > Licensing > Enter a new code.

2. Paste in the new code > Activate.

3. It may look like it has hung, wait a minuter or so, and check the licensing tab again.

Related Articles, References, Credits, or External Links

Cisco CSC Module Error – Activation Warning

Apple Devices will not Update Though Cisco ASA and CSC Module

Outlook Error 0x800CCC0F – Using POP3 To Exchange – Behind a Cisco CSC (Trend InterScan) Module

Cisco ASA 5500 – Throttling (Rate Limiting) Traffic

KB ID 0001001 

Problem

If you have one client that’s taking all your bandwidth, or a server that’s getting a lot of connections from external IP addresses, and that’s causing you performance problems, you can ‘throttle’ traffic from/to that client by ‘policing’ its traffic.

Solution

To demonstrate, I have a 30Mb connection at home, when I run a test on the download connection speed from my desktop PC this is what I get;

So I’m going to throttle traffic to that IP address (10.254.254.90), so that it can only use 1Mb of the connection.

1. Create an ACL for traffic to and from the IP address you want to throttle. (Note: If your firewall is running a version older than 8.3, and you are throttling an IP that has a public IP address, use its public IP address not its private one).

[box]

User Access Verification

Password:*******
Type help or ‘?’ for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA(config)# access-list ACL-THROTTLE extended permit ip host 10.254.254.90 any
PetesASA(config)# access-list ACL-THROTTLE extended permit ip any host 10.254.254.90

   

[/box]

2. Now create a class-map that will match all traffic in that ACL, (so all traffic to and from 10.254.254.90).

[box]

PetesASA(config)# class-map CM-THROTTLE
PetesASA(config-cmap)# match access-list ACL-THROTTLE
PetesASA(config-cmap)# exit

[/box]

3. Then create a policy-map, that takes all traffic identified in your class map, and rate limits the traffic to 1000000 bps (1Mbps) with a ‘burst-rate’ of 2000bps.

[box]

PetesASA(config)# policy-map PM-THROTTLE
PetesASA(config-pmap)# class CM-THROTTLE
PetesASA(config-pmap-c)# police output 1000000 2000
PetesASA(config-pmap-c)# police input 1000000 2000
PetesASA(config-pmap-c)# exit
PetesASA(config-pmap)# exit 

[/box]

4. Now apply that policy-map with a service policy. (Note: Generally you apply the policy to the interface closest to where the traffic is coming from, as this is an internal host, I’m applying it to the inside interface. If you were throttling traffic from outside it would be better to apply the service-policy to the outside interface).

[box]

PetesASA(config)# service-policy PM-THROTTLE interface inside

[/box]

5. Let’s run our test again.

6. Looks good!

 

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Configuring for NTP

KB ID 0000608

Problem

With NTP, there will be two things you want to do, 1) Allow a device behind the ASA to take its time from a public NTP server, and 2) Set the ASA to take its system time from a public NTP sever (for accurate date stanps on the logs, and for time critical things like Kerberos authentication.)

Solution

Allow internal host(s) to get system time though the firewall.

1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)# 

[/box]

2. To rules are being applied to traffic going OUT through the firewall, run a “show run access-group” command.

[box]

PetesASA(config)# show run access-group

        Sample Output

access-group outbound in interface inside
access-group inbound in interface outside

[/box]

Note: If it returns nothing then outbound traffic is NOT being filtered, and NTP should work anyway, but in the example above I can see the traffic that is going IN the inside interface (That’s traffic going out if you think about it!) Is being filtered by an access list called ‘outbound’ (Because I give the ACL’s sensible names, yours could be called anything!)

3. To allow ALL hosts use the word any, for a specific host use the keyword host.

[box]

Allow all hosts access to NTP

PetesASA(config)# access-list outbound permit udp any any eq 123

Allow one host (192.168.1.1)
        to NTP

PetesASA(config)# access-list outbound permit udp host 10.254.254.1 any eq 123 

[/box]

4.  Finally save the updated config.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
  PetesASA#

[/box]

Set the ASA to get its System Time from an External NTP Source

1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)# 

[/box]

2. The IP address I’m using is in the UK if you want one more local look here.

[box]

PetesASA(config)#  ntp server 130.88.212.143 source outside

[/box]

3. To check on its status, simply execute a “show ntp status” command. BUT it will take a few minutes to synchronise, until it does you will see;

[box]

PetesASA(config)#  show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d36a01de.60ad92ea (13:04:30.377 UTC Fri May 25 2012)
clock offset is 3414265.0854 msec, root delay is 26.09 msec
root dispersion is 3430186.81 msec, peer dispersion is 16000.00 msec
PetesASA(config)#

[/box]

When it is finally synchronised it will say;

[box]

PetesASA(config)#   show ntp status
Clock is synchronized, stratum 3, reference is 130.88.212.143
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d36a0f74.a34d5dde (14:02:28.637 UTC Fri May 25 2012)
clock offset is -9.1688 msec, root delay is 25.91 msec
root dispersion is 15915.95 msec, peer dispersion is 15890.63 msec 
PetesASA(config)#

[/box]

4.  Finally save the updated config.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#

[/box]

Related Articles, References, Credits, or External Links

Set Cisco ASA for Kerberos Authentication