Diverting Traffic To The Csc Ssm - Cisco PIX 500 Series Configuration Manual

Managing the CSC SSM
For use of the set connection command to protect the CSC SSM and the destinations of connections it
scans, see the

Diverting Traffic to the CSC SSM

You use Modular Policy Framework commands to configure the adaptive security appliance to divert
traffic to the CSC SSM. Before configuring the adaptive security appliance to divert traffic to the CSC
SSM, review
Framework concepts and common commands.
To identify traffic to divert from the adaptive security appliance to the CSC SSM, perform the following
steps:
Create an access list that matches the traffic you want scanned by the CSC SSM with the access-list
Step 1
extended command. Create as many ACEs as are needed to match all the traffic. For example, to specify
FTP, HTTP, POP3, and SMTP traffic, you need four ACEs. For guidance on identifying the traffic you
want to scan, see the
Create a class map to identify the traffic that should be diverted to the CSC SSM with the class-map
Step 2
command:
hostname(config)# class-map class_map_name
hostname(config-cmap)#
where class_map_name is the name of the traffic class. When you enter the class-map command, the
CLI enters class map configuration mode.
With the access list you created in
Step 3
scanned:
hostname(config-cmap)# match access-list acl-name
where acl-name is the name of the access list.
Step 4 Create a policy map or modify an existing policy map that you want to use to send traffic to the CSC
SSM with the policy-map command:
hostname(config-cmap)# policy-map policy_map_name
hostname(config-pmap)#
where policy_map_name is the name of the policy map. The CLI enters the policy map configuration
mode and the prompt changes accordingly.
Specify the class map, created in
Step 5
to do so, as follows.
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
where class_map_name is the name of the class map you created in
map class configuration mode and the prompt changes accordingly.
Step 6 If you want to enforce a per-client limit for simultaneous connections that the adaptive security appliance
diverts to the CSC SSM, use the set connection command, as follows:
hostname(config-pmap-c)# set connection per-client-max n
Cisco Security Appliance Command Line Configuration Guide
22-16
"Diverting Traffic to the CSC SSM" section on page
Chapter 21, "Using Modular Policy Framework,"
"Determining What Traffic to Scan" section on page
Step
Step 2, that identifies the traffic to be scanned. Use the class command
Chapter 22
which introduces Modular Policy
1, use a match access-list command to identify the traffic to be
Managing the AIP SSM and CSC SSM
22-16.
22-13.
Step 2. The CLI enters the policy
OL-12172-03