Cisco PIX 500 Series Configuration Manual page 427

Chapter 22 Managing the AIP SSM and CSC SSM
where n is the maximum simultaneous connections the adaptive security appliance will allow per client.
This command prevents a single client from abusing the services of the CSC SSM or any server protected
by the SSM, including prevention of attempts at DoS attacks on HTTP, FTP, POP3, or SMTP servers that
the CSC SSM protects.
Step 7 Assign the traffic identified by the class map as traffic to be sent to the CSC SSM with the csc command:
hostname(config-pmap-c)# csc {fail-close | fail-open}
The fail-close and fail-open keywords control how the adaptive security appliance handles traffic when
the CSC SSM is unavailable. For more information about the operating modes and failure behavior, see
the
Step 8 Apply the policy map globally or to a specific interface with the service-policy command:
hostname(config-pmap-c)# service-policy policy_map_name [global | interface interface_ID ]
where policy_map_name is the policy map you configured in
on all the interfaces, use the global keyword.To apply the policy map to traffic on a specific interface,
use the interface interface_ID option, where interface_ID is the name assigned to the interface with the
nameif command.
Only one global policy is allowed. You can override the global policy on an interface by applying a
service policy to that interface. You can only apply one policy map to each interface.
The adaptive security appliance begins diverting traffic to the CSC SSM as specified.
Example 22-1
policies:
•
•
Example 22-1 Service Policies for a Common CSC SSM Scanning Scenario
hostname access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 21
hostname access-list csc_out deny tcp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 eq 80
hostname access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 80
hostname access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 110
hostname class-map csc_outbound_class
hostname match access-list csc_out
hostname policy-map csc_out_policy
hostname class csc_outbound_class
hostname(config-pmap-c)# csc fail-close
hostname service-policy csc_out_policy interface inside
hostname access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 25
hostname access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80
hostname class-map csc_inbound_class
OL-12172-03
"About the CSC SSM" section on page
is based on the network shown in
The first policy, csc_out_policy, is applied to the inside interface and uses the csc_out access list to
ensure that all outbound requests for FTP and POP3 are scanned. The csc_out access list also
ensures that HTTP connections from inside to networks on the outside interface are scanned, but it
includes a deny ACE to exclude HTTP connections from inside to servers on the DMZ network.
The second policy, csc_in_policy, is applied to the outside interface and uses the csc_in access list
to ensure that requests for SMTP and HTTP originating on the outside interface and destined for the
DMZ network are scanned by the CSC SSM. Scanning HTTP requests protects the web server from
HTTP file uploads.
22-10.
Step 4. To apply the policy map to traffic
Figure 22-7 and shows the creation of two service
Cisco Security Appliance Command Line Configuration Guide
Managing the CSC SSM
22-17