ASA 5510 Remote Site Internet Access

Unanswered Question
Oct 9th, 2007
User Badges:

I'm setting up a new ASA 5510 and have 5 remote sites that connect back with site-to-site tunnels. We want to force their internet access through our websense server. I know I can do split tunneling but this won't force it to go through websense. Is there any way to allow the VPN traffic that comes in to go back out the connection for internet access of the centralized ASA?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
gates1150 Tue, 10/09/2007 - 06:37
User Badges:

Thanks that is exactly what I was looking for.

1cmerchant Tue, 10/09/2007 - 06:29
User Badges:

If you are using ASA 5505's or similar at the remote locations you can use the 'url-server' and 'filter' commands to have your centralized Websense server approve http connections. If you have Internet traffic going out locally through the remote ASA's you can still require that the Websense server approve connectivity.

Check the ASA v7.2 command reference guide to see more about the 'url-server' and 'filter' commands.

gates1150 Tue, 10/09/2007 - 06:36
User Badges:

Good point that seems like a more efficient design. Do you know if a PIX 501 can do this?

1cmerchant Tue, 10/09/2007 - 06:50
User Badges:

Yes, I've implemented it with a Pix 501 as the remote devices and a Pix 515e as the head-end device. Should be no problem using a Pix 501 to connect to an ASA 5510 as long as your IPSEC config, etc is all correct.

The caveat is that it takes awhile for the http request/response from the Websense server to traverse the IPSEC tunnel and return. When I encountered performance problems I started using the timeout and caching parameters of the url-server command to improve performance.

acomiskey Tue, 10/09/2007 - 07:47
User Badges:
  • Green, 3000 points or more

You have no other option on a 501, they don't support v. 7.

jobegates Tue, 10/09/2007 - 08:52
User Badges:

Did you use DMVPN or regular site-to-site tunnels?

1cmerchant Wed, 10/10/2007 - 06:41
User Badges:

Site to site tunnels, about 50+ total coming into a Pix 515e running v7.x code.

jobegates Wed, 10/10/2007 - 06:43
User Badges:

That's exactly what I'm setting up not as many sites though. Thanks for the help.


This Discussion