cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
565
Views
0
Helpful
4
Replies

Having trouble passing from PIX 506e to my Websense Server

ronaldboose
Level 1
Level 1

My Pix is not forwarding to my Websense server, for URL filtering

I worked with a tech from Websense, that assured me that the websense server is configured correctly.

However I'm going to include some notes on it as well.

The Websense server has two nics.

NIC 1: Static private address: no gateway

(Everyone on private network can ping this address)

NIC 2: Static registered IP address on the same network as my router and pix, pointing to my router as the gateway.

This is also my FTP Server, which I have no problem hitting from the outside.

Below is part 1 of my pix config, any help resolving why my pix is not filtering with my websense server would be greatly appreciated.

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ww1l5Q92YaRRQxfM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname ami

domain-name ami-lewiston.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol icmp error

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 172.16.0.0 Ligonier

name 10.4.0.0 NTC2

name 66.146.133.70 CMS-Support

name 10.3.0.0 CassCity

name 192.168.1.251 FTPServer

object-group service CMS-Support tcp-udp

port-object range 397 397

object-group service jGo tcp

port-object eq 449

port-object eq telnet

port-object range 8870 8876

port-object eq 446

port-object eq www

1 Accepted Solution

Accepted Solutions

Hi,

Where is the websense server located? Based on your IP Address, it looks like the server is located on the outside. So, the below statement needs to be corrected.

Old Config:

url-server (inside) vendor websense host 12.2.81.169 timeout 5 protocol TCP version 4

New Config:

url-server (outside) vendor websense host 12.2.81.169 timeout 5 protocol TCP version 4

Regards,

Arul

*Pls rate if it helps*

View solution in original post

4 Replies 4

ronaldboose
Level 1
Level 1

Part 2 of config:

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 Ligonier 255.255.0.0

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 NTC2 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any 192.168.1.224 255.255.255.224

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 CassCity 255.255.0.0

access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 Ligonier 255.255.0.0

access-list outside_cryptomap_40 permit ip 192.168.1.0 255.255.255.0 NTC2 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.224 255.255.255.224

access-list CMSClient_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any

access-list cms_access remark Rule to allow CMS support in

access-list outside_access_in permit tcp host CMS-Support interface outside object-group CMS-Support

access-list outside_access_in permit udp host CMS-Support interface outside object-group CMS-Support

access-list outside_access_in permit tcp any interface outside object-group jGo

access-list outside_cryptomap_60 permit ip 192.168.1.0 255.255.255.0 CassCity 255.255.0.0

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 12.2.81.170 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip audit signature 1000 disable

ip local pool CMSPool 192.168.1.235-192.168.1.245

pdm location Ligonier 255.255.0.0 outside

pdm location 192.168.1.224 255.255.255.224 outside

pdm location NTC2 255.255.255.0 outside

pdm location 192.168.1.253 255.255.255.255 inside

pdm location CMS-Support 255.255.255.255 outside

pdm location CassCity 255.255.0.0 outside

pdm location 12.2.81.170 255.255.255.255 inside

pdm location FTPServer 255.255.255.255 inside

pdm location 12.2.81.169 255.255.255.255 outside

pdm location 12.2.81.169 255.255.255.255 inside

pdm location FTPServer 255.255.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 397 192.168.1.253 397 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 397 192.168.1.253 397 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.1.253 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface telnet 192.168.1.253 telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 446 192.168.1.253 446 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 449 192.168.1.253 449 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8870 192.168.1.253 8870 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8871 192.168.1.253 8871 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8872 192.168.1.253 8872 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8873 192.168.1.253 8873 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8874 192.168.1.253 8874 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8875 192.168.1.253 8875 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8876 192.168.1.253 8876 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

part 3 of config

route outside 0.0.0.0 0.0.0.0 12.2.81.161 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

url-server (inside) vendor websense host 12.2.81.169 timeout 5 protocol TCP version 4

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 64.184.36.11

crypto map outside_map 20 set transform-set ESP-DES-SHA

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set peer 12.150.59.70

crypto map outside_map 40 set transform-set ESP-DES-SHA

crypto map outside_map 60 ipsec-isakmp

crypto map outside_map 60 match address outside_cryptomap_60

crypto map outside_map 60 set peer 12.159.34.3

crypto map outside_map 60 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 64.184.36.11 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 12.150.59.70 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 12.159.34.3 netmask 255.255.255.255 no-xauth no-config-mode

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup CMSClient address-pool CMSPool

vpngroup CMSClient dns-server 192.168.1.250

vpngroup CMSClient default-domain ami.local

vpngroup CMSClient split-tunnel CMSClient_splitTunnelAcl

vpngroup CMSClient split-dns 192.168.1.250 10.4.0.250

vpngroup CMSClient pfs

vpngroup CMSClient idle-time 1800

vpngroup CMSClient password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group CMSClient accept dialin pptp

vpdn group CMSClient ppp authentication pap

vpdn group CMSClient client configuration address local CMSPool

vpdn group CMSClient client configuration dns 192.168.1.250

vpdn group CMSClient pptp echo 60

vpdn group CMSClient client authentication local

vpdn username ron password *********

vpdn enable outside

vpdn enable inside

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Hi,

Where is the websense server located? Based on your IP Address, it looks like the server is located on the outside. So, the below statement needs to be corrected.

Old Config:

url-server (inside) vendor websense host 12.2.81.169 timeout 5 protocol TCP version 4

New Config:

url-server (outside) vendor websense host 12.2.81.169 timeout 5 protocol TCP version 4

Regards,

Arul

*Pls rate if it helps*

Thank you very much, issue resolved

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: