Cisco ASA 5505 Configuration Manual page 1157

Chapter 55 Configuring the Content Security and Control Application on the CSC SSM
The second class of the inside-policy, inside-class matches FTP, HTTP, and POP3 traffic between the
inside network and any destination. HTTP connections to the DMZ network are exempted because of the
inside-class1 setting. As previously mentioned, policies that apply CSC scanning to a specific interface
affect both incoming and outgoing traffic, but by specifying 192.168.10.0 as the source network,
inside-class1 matches only connections initiated by the hosts on the inside network.
In the outside-policy, outside-class matches SMTP traffic from any outside source to the DMZ network.
This setting protects the SMTP server and inside users who download e-mail from the SMTP server on
the DMZ network, without having to scan connections from SMTP clients to the server.
If the web server on the DMZ network receives files uploaded by HTTP from external hosts, you can add
a rule to the outside policy that matches HTTP traffic from any source to the DMZ network. Because the
policy is applied to the outside interface, the rule would only match connections from HTTP clients
outside the adaptive security appliance.
Licensing Requirements for the CSC SSM
The following table shows the licensing requirements for this feature:
Model License Requirement
ASA 5505 No support.
ASA 5510 Security Plus License: 2 contexts.
Optional license: 5 contexts.
ASA 5520 Base License: 2 contexts.
Optional licenses: 5, 10, or 20 contexts.
ASA 5540 Base License: 2 contexts.
Optional licenses: 5, 10, 20, or 50 contexts.
For the ASA 5510, 5520, and 5540:
With a Base License, the features enabled by default are SMTP virus scanning, POP3 virus scanning and content filtering,
•
webmail virus scanning, HTTP file blocking, FTP virus scanning and file blocking, logging, and automatic updates.
With a Security Plus License, the additional features enabled by default are SMTP anti-spam, SMTP content filtering,
•
POP3 anti-spam, URL blocking, and URL filtering.
Prerequisites for the CSC SSM
The CSC SSM has the following prerequisites:
•
•
•
•
•
•
OL-20339-01
A CSC SSM card must be installed in the adaptive security appliance.
A Product Authorization Key (PAK) for use in registering the CSC SSM.
Activation keys that you receive by e-mail after you register the CSC SSM.
The management port of the CSC SSM must be connected to your network to allow management
and automatic updates of the CSC SSM software.
The CSC SSM management port IP address must be accessible by the hosts used to run ASDM.
You must obtain the following information to use in configuring the CSC SSM:
Licensing Requirements for the CSC SSM
Cisco ASA 5500 Series Configuration Guide using ASDM
55-5