Search This Blog

Wednesday, 11 July 2012

Cisco ASA CSC - Access to certain websites is very slow with the Trend Security Module

Problems when you have a Cisco ASA 5510 and the CSC Module for Malware scanning.


Slow Website Access

The initial issue is that a website is not loading quickly, this will be slower than normal and if you test the website from another Internet connection the page loads normally within a few seconds. You find that it only loads slowly from your network where you have the Cisco ASA 5510 and the CSC Module.

Change ACL for the CSC Traffic

There are some websites that will not work well through the HTTP scanning in the CSC Module and so it is necessary to exclude them from being scanned. This is controlled by your ACL for the CSC traffic.
So in this example we want to exclude the website hosted on so we have to change our acl to first deny traffic to the site we want to exclude and then allow all other traffic. When we access the site on this triggers the deny rule and so the traffic is not included in the class map my_csc_class and thefore it is not passed to the CSC Module for HTTP scanning.
! exempt http traffic to
access-list 101 deny tcp any host eq http
! catch everything else
access-list 101 permit tcp any any eq http
class-map my_csc_class
match access-list 101
policy-map my_csc_policy
class my_csc_class
csc fail-close
service-policy my_csc_policy interface inside

Cisco ASA logs

Here you can see the command show access-list csc_out which is the acl for matching the traffic to be scanned, I have added a line
access-list csc_out extended deny tcp host
The IP address is the actual IP of the site I want to exclude in the real world and now you can see that the hitcount for this is 8 in the deny acl and 150 in the permit acl. So what is happening is that when the site loads the first 4 hits on http are denied as per our acl and then the other hits on http are on our permit acl and are allowed. In this instance the site went from a load of over 2 minutes to under 10 seconds so excluding the IP address of the site in DNS has resolved the issue.

No comments:

Post a Comment