Cisco ASA 5505 Configuration Manual page 1156

Information About the CSC SSM
Based on the configuration shown in
the CSC SSM only requests from clients on the inside network for HTTP, FTP, and POP3 connections
to the outside network, and incoming SMTP connections from outside hosts to the mail server on the
DMZ network. Exclude from scanning HTTP requests from the inside network to the web server on the
DMZ network.
Figure 55-3
There are many ways you could configure the adaptive security appliance to identify the traffic that you
want to scan. One approach is to define two service policies: one on the inside interface and the other on
the outside interface, each with access lists that match traffic to be scanned.
Figure 55-4
should scan.
Figure 55-4
In the inside-policy, the first class, inside-class1, ensures that the adaptive security appliance does not
scan HTTP traffic between the inside network and the DMZ network. The Match column indicates this
setting by displaying the "Do not match" icon. This setting does not mean the adaptive security appliance
blocks traffic sent from the 192.168.10.0 network to TCP port 80 on the 192.168.20.0 network. Instead,
this setting exempts the traffic from being matched by the service policy applied to the inside interface,
which prevents the adaptive security appliance from sending the traffic to the CSC SSM.
Cisco ASA 5500 Series Configuration Guide using ASDM
55-4
Chapter 55
Figure
Common Network Configuration for CSC SSM Scanning
Adaptive Security
Appliance
192.168.10.0
inside
Web server
shows service policy rules that select only the traffic that the adaptive security appliance
Optimized Traffic Selection for CSC Scans
Configuring the Content Security and Control Application on the CSC SSM
55-3, configure the adaptive security appliance to divert to
192.168.30.0
outside
192.168.20.0
(dmz)
Mail server
Internet
OL-20339-01