ASA: Send Network Traffic from the ASA to the

CSCSSM Configuration Example

Document ID: 99141
Introduction
Prerequisites
Requirements
Components Used
Conventions
Background Information
Configure
ASA CSC SSM Flow Diagram
CSC Initial Setup
How to Configure ASA to Divert Traffic to CSCSSM
Network Diagram
ASA Configuration
CSC Home Page
CSC Setup
SMTP Configuration
Trend Micro SMTP Configuration
HTTP Configuration
Scanning
File Blocking
URL Blocking
URL Filtering
FTP Configuration
Trend Micro FTP Configuration
Verify
Troubleshoot
Internet Access
License violation errors
Performance Issue
Troubleshooting Commands
Related Information

Introduction
This document provides a sample configuration for how to send network traffic from the Cisco ASA 5500
Series Adaptive Security Appliance (ASA) to the Content Security and Control Security Services Module
(CSCSSM).
The CSCSSM provides protection against viruses, spyware, spam, and other unwanted traffic. It
accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that is diverted to it by the adaptive
security appliance. In order to force the ASA to divert the traffic to the CSCSSM, you need to use Modular
Policy Framework.
Refer to ASA: Send Network Traffic from the ASA to the AIP SSM Configuration Example in order to send
network traffic that passes through the Cisco ASA 5500 Series Adaptive Security Appliance (ASA) to the
Advanced Inspection and Prevention Security Services Module (AIPSSM) (IPS) module.

Note: The CSCSSM can scan FTP, HTTP, POP3, and SMTP traffic only when the destination port of the
packet that requests the connection is the wellknown port for the specified protocol. The CSCSSM can scan
only these connections:
FTP connections opened to TCP port 21
HTTP connections opened to TCP port 80
POP3 connections opened to TCP port 110
SMTP connections opened to TCP port 25

Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:
A basic understanding of how to configure Cisco ASA 5500 Series runs software version 7.1 and
later.
The CSCSSM has been installed.

Components Used
The information in this document is based on these software and hardware versions:
ASA 5520 with software version 7.1 and later
CSCSSM10 with software version 6.1
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.

Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information
The CSCSSM maintains a file that contains signature profiles of suspicious content, updated regularly from
an update server at Trend Micro. The CSCSSM scans traffic it receives from the adaptive security appliance
and compares it to the content profiles it obtains from Trend Micro. It then forwards legitimate content on to
the adaptive security appliance for routing, or blocks and reports content that is suspicious.
By default, CSCSSM comes with a base license that provides these features:
Detects and takes action on viruses and malware in the network traffic
Blocks compressed or very large files that exceed specified parameters
Scans for and remove spyware, adware, and other types of grayware
Additionally, if it is equipped with a Plus License, it also performs these tasks:
Reduces spam and protect against phishing fraud in your SMTP and POP3 traffic
Sets up content filters that enable you to allow or prohibit email traffic that contain key words or
phrases

 Filters/Blocks URLs that you do not want users to access, or URLs that are known to have hidden or
malicious purposes
Note: The CSCSSM can scan FTP file transfers only when FTP inspection is enabled on the ASA. By
default, FTP inspection is enabled.
Note: The CSCSSM cannot support Stateful Failover because the CSCSSM does not maintain connection
information, and therefore cannot provide the failover unit with the required information for Stateful Failover.
The connections that a CSCSSM is scanning are dropped when the security appliance in which the
CSCSSM is installed fails. When the standby adaptive security appliance becomes active, it forwards the
scanned traffic to the CSCSSM and the connections are reset.

Configure
In a network in which the adaptive security appliance is deployed with the CSCSSM, you configure the
adaptive security appliance to send to the CSCSSM only the types of traffic that you want to be scanned.
Note: Use the Command Lookup Tool ( registered customers only) to obtain more information on the commands
used in this section.

ASA CSC SSM Flow Diagram

This diagram shows the flow of traffic within ASA and CSCSSM:

In this example, clients can be network users who access a web site, download files from an FTP server, or
retrieve mail from a POP3 server.
In this configuration, this is how the traffic flows:
1. The client initiates a request.
2. The adaptive security appliance receives the request and forwards it to the Internet.
3. When the requested content is retrieved, the adaptive security appliance determines whether its
service policies define this content type as one that should be diverted to the CSCSSM for scanning,
and does so if appropriate.

4. The CSCSSM receives the content from the adaptive security appliance, scans it and compares it to
its latest update of the Trend Micro content filters.
5. If the content is suspicious, the CSCSSM blocks the content and reports the event. If the content is
not suspicious, the CSCSSM forwards the requested content back to the adaptive security appliance
for routing.

CSC Initial Setup

In the initial setup, several parameters need to be configured. Make sure you have gathered the information
required for these parameters before you begin.
As the first step to configure the CSCSSM, launch the Cisco ASDM. By default, you can access the
CSCSSM through the management IP address of the ASA at https://192.168.1.1/. You need to ensure that
your PC and the management interface of ASA are in the same network. Alternatively, you can download the
ASDM Launcher for subsequent accesses.
Configure these parameters with the ASDM:
1. Once in main ASDM window, choose Configuration > Trend Micro Content Security > Wizard
Setup and click Launch Setup Wizard.

2. Activation key:
The first step to obtain the activation key is to identify the Product Authorization Key (PAK) shipped
along with the product. It contains a barcode and 11 hexadecimal characters. For example, a sample
PAK can be 120106C7D4A.
Use the PAK to register the CSCSSM at Product License Registration ( registered customers only)
webpage. After you register, you receive activation keys by email.

3. Management port IP parameters:

Specify IP address, netmask and gateway IP address for the CSC Management interface.
DNS server addressIP address for the Primary DNS server.

4. Hostname and Domain name of the CSCSSMSpecify a host name as well as the domain name of
the CSCSSM.
Incoming domainDomain name used by the local mail server as the incoming email domain.
Note: AntiSPAM policies are applied only to email traffic that come into this domain.
Notification settingsAdministrator email address and the email server IP address and port to be
used for notifications.

5. Management host access parameters:

Enter the IP address and mask for each subnet and host that should have management access to the
CSCSSM.
Note: By default, all networks have management access to the CSCSSM. For security purposes,
Cisco recommends that you restrict access to specific subnets or management hosts.

6. New password for CSCSSM:

Change the default password, cisco, to a new password for management access.

7. In step 6 of the CSC Setup Wizard, specify the type of traffic to be scanned.

The adaptive security appliance diverts packets to the CSCSSM after firewall policies are applied
but before the packets exit the egress interface. For example, packets that are blocked by an access list
are not forwarded to the CSCSSM.
Configure service policies to specify which traffic the adaptive security appliance should divert to the
CSCSSM. The CSCSSM can scan HTTP, POP3, FTP, and SMTP traffic sent to the wellknown
ports for those protocols.
In order to simplify the initial configuration process, this procedure creates a global service policy that
diverts all traffic for the supported protocols to the CSCSSM, both inbound and outbound. Because
scanning all traffic that comes through the adaptive security appliance can reduce the performance of
the adaptive security appliance and the CSCSSM, you want to revise this security policy later. For
example, it is not usually necessary to scan all traffic that comes from your inside network because it
comes from a trusted source. If you refine the service policies so that the CSCSSM scans only traffic
from untrusted sources, you can achieve your security goals and maximize the performance of the
adaptive security appliance and the CSCSSM.
Complete these steps in order to create a global service policy that identifies traffic to be scanned:

a. Click Add in order to add a new type of traffic.

b. Choose Global from the Interface dropdown list.
c. Leave the Source and Destination fields set to Any.
d. In the Service are, click the ellipsis (...) radio button. In this dialog box, choose a predefined
service or click Add in order to define a new service.
e. In the If CSC card fails, then area, choose whether the adaptive security appliance should
permit or deny selected traffic if the CSCSSM is unavailable.
f. Click OK in order to return to the Traffic Selection for CSC Scan window.
g. Click Next.
8. In step 7 of the CSC Setup Wizard, review configuration settings you entered for the CSCSSM.

If you are satisfied with these settings, click Finish.

The ASDM shows a message that indicates that the CSC device is now active.
By default, the CSCSSM is configured to perform content security scans enabled by the license you
purchased, which can include antivirus, antispam, antiphishing, and content filtering. It is also
configured to get periodic updates from the Trend Micro update server.
If included in the license you purchased, you can create custom settings for URL blocking and URL
filtering, as well as email and FTP parameters. See the Cisco Content Security and Control SSM
Administrator Guide for more information.

How to Configure ASA to Divert Traffic to CSCSSM

In order to force the ASA to divert the traffic to the CSCSSM, you need to use Modular Policy Framework.
Complete these steps in order to accomplish the identification and diversion of the traffic to CSCSSM:
1. Create an access list that matches the traffic you want scanned by the CSCSSM, in order to divert
the traffic to CSCSSM, with the accesslist extended command:
hostname(config)#accesslist aclname extended {deny | permit} protocol src_ip mask

2. Create a class map in order to identify the traffic that should be diverted to the CSCSSM with the
classmap command:
hostname(config)#classmap class_map_name

3. Once in class map configuration mode, use the match accesslist command in order to identify the
traffic with the use of the accesslist previously specified:

hostname(configcmap)#match accesslist aclname

hostname(configcmap)#exit

4. Create a policy map in order to send traffic to the CSCSSM with the policymap command:
hostname(config)#policymap policy_map_name

5. Once in the policy map configuration mode, use the class command in order to specify the class map,
previously created, that identifies the traffic to be scanned:
hostname(configpmap)#class class_map_name

6. Once in policy map class configuration mode, you can configure these:
If you want to enforce a perclient limit for simultaneous connections that the adaptive
security appliance diverts to the CSCSSM, use the set connection command, as follows:
hostname(configpmapc)#set connection perclientmax n

where n is the maximum simultaneous connections the adaptive security appliance allows for
each client. This command prevents a single client from abusing the services of the
CSCSSM or any server protected by the SSM, which includes the prevention of attempts at
DoS attacks on HTTP, FTP, POP3, or SMTP servers that the CSCSSM protects.
Use the csc command in order to control how the ASA handles traffic when the CSCSSM is
unavailable:
hostname(configpmapc)#csc {failclose | failopen}

where failclose specifies that the ASA should block traffic if the CSCSSM fails and in
contrast, failopen specifies that the ASA should allow traffic if the CSCSSM fails.
Note: This applies to the traffic selected by the class map only. Other traffic not sent to the
CSCSSM is not affected by a CSCSSM failure.
7. Lastly, apply the policy map globally or to a specific interface with the servicepolicy command:

hostname(configpmapc)#servicepolicy policy_map_name [global | interface interface

where interface_ID is the name assigned to the interface with the nameif command.
Note: Only one global policy is allowed. You can override the global policy on an interface with the
application of a service policy to that interface. You can only apply one policy map to each interface.

Network Diagram
This diagram is an example of an ASA 5500 configured for these parameters:

The summary of the network diagram illustrates these:

HTTP connection to the outside networks
FTP connection from clients inside the security appliance to the servers outside the security appliance
POP3 clients from the clients inside the security appliance to the servers outside the security
appliance.
Incoming SMTP connections designated to the inside mail server

ASA Configuration
ASA5520
ciscoasa(config)#show runningconfig
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
domainname Security.lab.com
enable password 2kxsYuz/BehvglCF encrypted
no names
dnsguard
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
securitylevel 0
ip address 172.30.21.222 255.255.255.0
!
interface GigabitEthernet0/1
description INSIDE
nameif inside
securitylevel 100
ip address 192.168.5.1 255.255.255.0
!

! Output suppressed
accesslist cscacl remark Exclude CSC module traffic from being scanned
accesslist cscacl deny ip host 10.89.130.241 any
! In order to improve the performance of the ASA and CSC Module.
! Any traffic from CSC Module is excluded from the scanning.
accesslist cscacl remark Scan Web & Mail traffic

accesslist cscacl permit tcp any any eq www

accesslist cscacl permit tcp any any eq smtp
accesslist cscacl permit tcp any any eq pop3
!
! All Inbound and Outbound traffic for WEB, Mail services is scanning.

accesslist cscaclftp permit tcp any any eq ftp

! All Inbound and Outbound traffic for FTP service is scanning.
classmap cscclass
match accesslist cscacl
!
classmap cscftpclass
match accesslist cscaclftp
!
policymap global_policy
class cscclass
csc failopen
class cscftpclass
csc failopen
policymap global_policy
class inspection_default
! Inspect FTP traffic for scanning.
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect http
servicepolicy global_policy global

! Output suppressed

CSC Home Page

CSC Setup
Trend Micro InterScan for Cisco CSCSSM provides protection for major traffic protocols, such as SMTP,
HTTP, and FTP, as well as POP3 traffic, in order to ensure that employees do not accidentally introduce
viruses from their personal email accounts.
Choose Configuration > Trend Micro Content Security in order to open the CSCSSM. From the

Configuration menu, choose from these configuration options:

CSC SetupLaunches the Setup Wizard to install and configure the CSCSSM
WebConfigures Web scanning, file blocking, URL filtering, and URL blocking
MailConfigures scanning, content filtering, and spam prevention for incoming and outgoing SMTP
and POP3 email
File TransferConfigures file scanning and blocking
UpdatesSchedules updates for content security scanning components, for example, virus pattern
file, scan engine, and so forth
The Web, Mail, File Transfer, and Updates options are described in more detail in these chapters:
MailConfiguring SMTP and POP3 Mail Traffic
Web and File TransferConfiguring Web (HTTP) and File Transfer (FTP) Traffic
UpdatesManaging Updates and Log Queries
This example shows how to configure a CSCSSM to scan the incoming SMTP message to the internal
network network.
The incoming SMTP messages are diverted to the CSCSSM for scanning. In this example, all the traffic
from outside to access the inside mail server (192.168.5.2/24) for SMTP services are diverted to the
CSCSSM.
accesslist csc_inbound extended permit tcp any host 192.168.5.2 eq smtp

These default settings give you some protection for your email traffic after you install Trend Micro
InterScan for Cisco CSCSSM.

SMTP Configuration
Trend Micro SMTP Configuration
Complete these steps in order to configure the CSCSSM to scan the incoming SMTP message using ASDM:

1. Choose Configuration > Trend Micro Content Security > Mail in ASDM and click Configure
Incoming Scan in order to display the SMTP Incoming Message Scan/Target window.

2. The window takes you to the Trend Micro InterScan for Cisco CSCSSM Login prompt. Enter the
CSCSSM Password.

3. The SMTP Incoming Message Scan window has these three views:
Target
Action
Notification
You can switch among views if you click the appropriate tab for the information you want. The active
tab name appears in brown text; inactive tab names appear in black text. Use all three tabs in order to
configure virus scanning of incoming SMTP traffic.
Click Target in order to allow you to define the scope of activity upon which is acted.
The SMTP Incoming message scan is enabled by default.

4. In the Default Scanning section, All scannable files is selected by default. It scans regardless of the
file name extensions.

5. Configure the SMTP compressed file handling for incoming mail.

Configure to skip scanning of compressed files when one of these is true:

Decompressed file count is greater than 200.
Decompressed file size exceeds 20 MB.
Number of compression layers exceeds three.
Decompressed or compressed file size ratio is greater than 100 to 1.
Compressed files exceed specified scanning criteria.
Modify the default parameters of the Decompressed file count as 300 and Decompressed file size as
30 MB.

6. In the Scan for Spyware/Grayware section of these windows, which was shown in step 5, choose
the types of grayware you want detected by Trend Micro InterScan for Cisco CSCSSM. See the
online help for a description of each type of grayware listed.

Click Save in order to enable the new configuration

7. Click the Action tab, which allows you to define the action to be taken when a threat is detected.
Examples of actions are clean or delete.

These values are default action taken for the incoming mails.
For Messages with Virus/Malware Detection sectionClean the message or attachment in
which the malware was detected, and if the message or attachment is uncleanable, delete it.

For Spyware/Grayware DetectionsThese are the files to be delivered if the SMTP

messages in which spyware or grayware is detected.
Click Save in order to enable the new configuration
8. Click Notification tab, which allows you to compose a notification message, as well as define who is
notified of the event and the action.

If you are satisfied with the default notification setup, no further action is required. But, you can
review the notification options and decide whether you want to change the defaults. For example, you
can send a notification to the administrator when a security risk has been detected in an email
message. For SMTP, you can also notify the sender or recipient.
Check the Administrator and Recipient boxes for email notification. You can also tailor the default
text in the notification message to something more appropriate for your organization such as in this
screen shot.

9. In the Inline Notifications section of the window, choose one of the listed options, neither, or both.

In our example, choose Risk free message and type your own message in the field provided.

Click Save in order to enable the new configuration.

HTTP Configuration
Scanning
After installation, by default your HTTP and FTP traffic is scanned for viruses, worms, and Trojans. Malware
such as spyware and other grayware require a configuration change before they are detected.
These default settings give you some protection for your Web and FTP traffic after you install Trend Micro

InterScan for Cisco CSCSSM. You can change these settings. For example, you can prefer to use the Scan
by specified file extensions option rather than All Scannable Files for malware detection. Before you make
changes, review the online help for more information about these selections.
After installation, it is possible that you want to update additional configuration settings in order to obtain the
maximum protection for your Web and FTP traffic. If you purchased the Plus License, which entitles you to
receive URL blocking, antiphishing, and URL filtering functionality, you must configure these additional
features.
Complete these steps in order to configure the CSCSSM to scan the HTTP message with ASDM:
1. Click the Web (HTTP) in the Trend Micro page, and this Web Message Scan window has four views:
Target
Webmail Scanning
Action
Notification
Click the appropriate tab for the information you want in order to switch among views. The active tab
name appears in brown text; inactive tab names appear in black text. Use all tabs in order to configure
virus scanning of Web traffic.
Click the Target in order to allow you to define the scope of activity upon which is to be acted.
The HTTP message scan is enabled by default.
Enabled with the use of All Scannable Files as the scanning method.
Web (HTTP) compressed file handling for downloading from the WebConfigured to skip
scanning of compressed files when one of these is true:
Decompressed file count is greater than 200.
Decompressed file size exceeds 30 MB.
Number of compression layers exceeds three.
Decompressed or compressed file size ratio is greater than 100 to 1.

For Webmail scanningConfigured to scan Webmail sites for Yahoo, AOL, MSN, and Google.
2. Large File handling

The Target tabs on the HTTP Scanning and FTP Scanning windows allow you to define the size of
the largest download you want scanned. For example, you can specify that a download under 20 MB
is scanned, but a download larger than 20 MB is not scanned.
In addition, you can:
Specify large downloads to be delivered without scanning, which can introduce a security
risk.
Specify that downloads greater than the specified limit are deleted.
By default, the CSCSSM software specifies that files smaller than 50 MB are scanned. Modify as 75
MB. Files that are 75 MB and larger are delivered without scanning to the requesting client.

Deferred Scanning
The deferred scanning feature is not enabled by default. When enabled, this feature allows you to
begin to download data without scanning the entire download. Deferred scanning allows you to begin
to view the data without a prolonged wait while the entire body of information is scanned.
Note: If you do not enable the deferred scanning option, then you can face an unsuccessful update
through the CSC module.

Note: When deferred scanning is enabled, the unscanned portion of information can introduce a
security risk.
Note: Traffic that moves through HTTPS cannot be scanned for viruses and other threats by the
CSCSSM software.
If deferred scanning is not enabled, the entire content of the download must be scanned before it is
presented to you. But, some client software can time out because of the time required to collect
sufficient network packets in order to compose complete files for scanning. This table summarizes the
advantages and disadvantages of each method.
Scan for Spyware and Grayware
Grayware is a category of software that can be legitimate, unwanted, or malicious. Unlike threats such
as viruses, worms, and Trojans, grayware does not infect, replicate, or destroy data, but it can violate
your privacy. Examples of grayware include spyware, adware, and remote access tools.
Spyware or grayware detection is not enabled by default. You must configure this feature in these
windows in order to detect spyware and other forms of spyware and other grayware in your Web and
file transfer traffic:
Click Save in order to update your configuration.
3. You can switch to the Scanning Webmail tab in order to scan Webmail sites for Yahoo, AOL, MSN,
and Google.
Note: If you elect to scan only Webmail, HTTP scanning is restricted to the sites specified on the
Webmail Scanning tab of the Web (HTTP) > Scanning > HTTP Scanning window. Other HTTP
traffic is not scanned. Configured sites are scanned until you remove them when you click the
Trashcan icon.
In the Name field, enter the exact web site name, a URL keyword, and a string in order to define the
Webmail site.
Note: Attachments to messages that are managed on Webmail are scanned.
Click Save in order to update your configuration.

4. You can switch to the Action tab for the configuration of the Virus/Malware Detection and
Spyware/Grayware Detections.
Web (HTTP) downloads for files in which virus/malware is detectedClean the downloaded
file or file in which the malware was detected. If uncleanable, delete the file.
Web (HTTP) downloads and file transfers (FTP) for files in which spyware or grayware is
detectedFiles are deleted.

5. Web (HTTP) downloads when malware is detectedAn inline notification is inserted in the browser,
which states that Trend Micro InterScan for CSCSSM has scanned the file that you attempt to
transfer, and has detected a security risk.

File Blocking
In the left dropdown menu , click File Blocking.
This feature is enabled by default; however, you must specify the types of files you want blocked. File
blocking helps you enforce your organization policies for Internet use and other computing resources during
work time. For example, your company does not allow downloading of music, both because of legal issues as
well as employee productivity issues.

 On the Target tab of the File Blocking window, check the Executable check box in order to block
.exe.
You can specify additional file types by file name extension. Check the Block specified file
extensions check box in order to enable this feature.
Then, enter additional file types in the File extensions to block field, and click Add. In the example,
.mpg files are blocked.
Click Save when you are finished in order to update the configuration.
Check the Administrator Notification box in order to send the default messages in the text box.
Click the Notification tab for the alert message.

URL Blocking
This section describes the URL blocking feature and includes these topics:
Blocking from the Via Local List Tab
Blocking from the Via Pattern File (PhishTrap) Tab

Note: This feature requires the Plus License.

The URL blocking feature helps you prevent employees from accessing prohibited web sites. For example, it
is possible that you want to block some sites because policies in your organization prohibit access to dating
services, online shopping services, or offensive sites.
You can also block sites that are known to perpetrate fraud, such as phishing. Phishing is a technique used by
criminals who send email messages that appear to be from a legitimate organization, which request you to
reveal private information such as bank account numbers. This image shows an example of an email
message used for phishing.

By default, URL blocking is enabled. But, only sites in the TrendMicro PhishTrap pattern file are blocked
until you specify additional sites for blocking.
Blocking from the Via Local List Tab
Complete these steps in order to configure URL blocking from the Via Local List tab:
1. Choose Configuration > Trend Micro Content Security > Web in ASDM and click Configure
URL Blocking in order to display the URL Blocking window.
2. On the Via Local List tab of the URL Blocking window, type the URLs you want to block in the
Match field. You can specify the exact web site name, a URL keyword, and a string.
3. Click Block after each entry in order to move the URL to the Block List. Click Do Not Block to add
the entry to Block List Exceptions in order to specify your entry as an exception. Entries remain as
blocked or exceptions until you remove them.
Note: You can also import a block and exception list. The imported file must be in a specific format.
See the online help for instructions.

Blocking from the Via Pattern File (PhishTrap) Tab

Complete these steps in order to configure URL file blocking from the Via Pattern File (PhishTrap) Tab:
1. Choose Configuration > Trend Micro Content Security > Web in ASDM and click the Configure
URL Blocking link in order to display the URL Blocking window.
2. Then click the Via Pattern File (PhishTrap) tab.
3. By default, the Trend Micro PhishTrap pattern file detects and blocks known phishing sites, spyware
sites, virus accomplice sites that are sites associated with known exploits, and disease vectors, which
are web sites that exist only for malicious purposes. Use the Submit the Potential Phishing URL to
TrendLabs fields in order to submit sites that you think should be added to the PhishTrap pattern file.
TrendLabs evaluates the site and can add the site to this file if such action is warranted.
4. Click the Notification tab in order to review the text of the default message that appears in the
browser when an attempt is made to access a blocked site. The online help shows an example.
Highlight and redefine it in order to customize the default message.
5. Click Save when you are finished in order to update the configuration.

URL Filtering
There are two important section to be discussed here.

 Filtering Settings
Filtering Rules
The URLs defined on the URL Blocking windows described previously are either always allowed or
always disallowed. The URL filtering feature, however, allows you to filter URLs in categories,
which you can schedule to allow access during certain times, defined as leisure time, and disallow
access during work time.
Note: This feature requires the Plus License.
These are the six URL filtering categories:
Companyprohibited
Not work related
Research topics
Business function
Customer defined
Others
By default, companyprohibited sites are blocked during both work and leisure times.
Filtering Settings
Complete these steps in order to configure the URL filtering feature:
1. Choose Configuration > Trend Micro Content Security > Web in ASDM and click Configure
URL Filtering Settings in order to display the URL Filtering Settings window.
2. On the URL Categories tab, review the subcategories listed and the default classifications assigned to
each category to see whether the assignments are appropriate for your organization. For example,
Illegal Drugs is a subcategory of the Companyprohibited category. If your organization is a financial
services company, it is possible that you want to leave this category classified as
companyprohibited. Check the Illegal Drugs check box in order to enable filtering for sites related
to illegal drugs. But, if your organization is a law enforcement agency, you should reclassify the
Illegal Drugs subcategory to the Business function category. See the online help for more information
about reclassification.
3. After you have reviewed and refined the subcategory classifications, check the associated subcategory
in order to enable all the subcategories for which you want filtering performed.
4. If there are sites within some of the enabled subcategories that you do not want filtered, click the
URL Filtering Exceptions tab.
5. Type the URLs you want to exclude from filtering in the Match field. You can specify the exact web
site name, a URL keyword, and a string.
6. Click Add after each entry in order to move the URL to the Do Not Filter the Following Sites list.
Entries remain as exceptions until you remove them.
Note: You can also import an exception list. The imported file must be in a specific format. See the
online help for instructions.
7. Click the Schedule tab in order to define the days of the week and hours of the day that should be
considered work time. Time not designated as work time is automatically designated as leisure time.
8. Click Save in order to update the URL filtering configuration.
9. Click the Reclassify URL tab in order to submit suspect URLs to TrendLabs for evaluation.

Filtering Rules
After you have assigned the URL subcategories to the correct categories for your organization, defined
exceptions (if any), and created the work and leisure time schedule, assign the filtering rules that determine
when a category is filtering.
Complete these steps in order to assign the URL filtering rules:
1. Choose Configuration > Trend Micro Content Security > Web in ASDM and click the Configure
URL Filtering Rules link in order to display the URL Filtering Rules window.
2. For each of the six major categories, specify whether the URLs in that category are blocked, and if so,
during work time, leisure time, or both. See the online help for more information.

3. Click Save in order to update the configuration.

Note: For URL Filtering to work correctly, the CSCSSM module must be able to send HTTP
requests to the Trend Micro service. If an HTTP proxy is required, choose Update > Proxy Settings
in order to configure the proxy setting. The URL Filtering component does not support the SOCKS4
proxy.

FTP Configuration
Trend Micro FTP Configuration
After installation, by default your FTP traffic is scanned for viruses, worms, and Trojans. Malware such as
spyware and other grayware require a configuration change before they are detected.
File transfer (FTP) scanning of file transfersEnabled using All Scannable Files as the scanning method.

Complete the steps given in the File Blocking page for HTTP Traffic.

Complete the steps given in the File Blocking page for HTTP Traffic.

Verify
Use this section in order to confirm that your configuration works properly.
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Although, the
OIT can be used to view an analysis of some show command outputs, these show commands currently are not
compatible with this tool.
show moduleIn order to check the status of an SSM, for example:
ciscoasa#show module
Mod Card Type

0 ASA 5520 Adaptive Security Appliance
1 ASA 5500 Series Security Services Module20
Mod

0
1

MAC Address Range

0014.c482.5151 to 0014.c482.5155
000b.fcf8.012c to 000b.fcf8.012c

Model

ASA5520
ASASSM20

Hw Version

1.1
1.0

Fw Version

1.0(10)0
1.0(10)0

Serial No.

JMX090000B7
JAF10333331

Sw Version

8.0(2)
Trend Micro InterSca

Mod SSM Application Name

Status
SSM Application Version

1 Trend Micro InterScan Security Up
Version 6.0
Mod

0
1

Status

Up Sys
Up

Data Plane Status

Compatibility

Not Applicable
Up

show module 1 detailsUse the details keyword in order to view additional information for the SSM,
for example:
ciscoasa#show module 1 details
Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Module20
Model:
ASASSM20
Hardware version:
1.0
Serial Number:
JAF10333331
Firmware version:
1.0(10)0
Software version:
Trend Micro InterScan Security Module Version 6.0
App. name:
Trend Micro InterScan Security Module
App. version:
Version 6.0

Data plane Status:

Status:
HTTP Service:
Mail Service:
FTP Service:
Activated:
Mgmt IP addr:
Mgmt web port:

Up
Up
Up
Up
Up
Yes
172.30.21.235
8443

show module slot_num recoverDetermines if there is a recovery configuration for the SSM. If a
recovery configuration exists for the SSM, the ASA displays it. For example:
ciscoasa#show module 1 recover
Module 1 recover parameters. . .
Boot Recovery Image: Yes
Image URL:
tftp://10.21.18.1/idsoldimg
Port IP Address:
172.30.21.10
Port Mask:
255.255.255.0
Gateway IP Address: 172.30.21.254

Refer to Verifying Initial Setup for more information on how to verify that Trend Micro InterScan for Cisco
CSCSSM operates correctly.

Troubleshoot
This section provides information you can use to troubleshoot your configuration.

Internet Access
Problem
The CSC is unable to access the Internet through the ASA management interface or the CSC is unable to get
updates from the Trend server through the Internet. .
Solution
The management interface configures with the managementonly command and makes it only accept traffic
to or from the ASA, not through it. So remove the managementonly command and the NAT statement for
managementtooutside traffic then allows the Internet for CSC to update.

License violation errors

Problem
CSC module shows license violation errors and reports more hosts than what is in the network. The License
violation has been detected on the InterScan for CSC SSM error is seen in the CSC
module. How can this error be resolved?
Solution
Move all interfaces except the OutsideWAN (security level 0) to the higher security levels.

Performance Issue
Problem

The incoming SMTP traffic has become very slow. The inside mail server sometimes gets response from the
server that takes a couple of minutes or two to receive.
Solution
You possibly run into slow traffic due to outoforder packets. Try this example, which can resolve the
issue.
! Creates a new tcp map and allows for 100 out
of order packets
tcpmap localmap
queuelimit 100
! This is the class that defines traffic to sent to
the cscmodule. The name you use can be different.
Sets the localmap parameters to flow matching the class map.
policymap global_policy
class cscclass
set connection advancedoptions localmap

Troubleshooting Commands
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT in
order to view an analysis of show command output.
Refer to Troubleshooting Trend Micro InterScan for Cisco CSCSSM for more information on how to
troubleshoot various issues of the CSCSSM.
Note: Refer to Important Information on Debug Commands before you use debug commands.
debug modulebootShows debug messages about the SSM booting process.
hwmodule module 1 shutdownShutdown the SSM
hwmodule module 1 resetReset the SSM

Related Information
Cisco ASA 5500 Series Adaptive Security Appliances Product Support
Cisco Content Security and Control SSM Administrator Guide
Cisco Adaptive Security Device Manager Product Support
Technical Support & Documentation Cisco Systems

Contacts & Feedback | Help | Site Map

2008 2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.

Updated: Oct 18, 2007

Document ID: 99141