need help with ASA as it relates to URL filtering

Unanswered Question
Jan 9th, 2009
User Badges:

We have an ASA firewall with 3 active interfaces on it. Inside,outside,and a dmz interface. We have workstations in the DMZ that only communicate with the internet. The Sec level for this interface is 50. There is no ACL or NAT's in place as the dmz segment should not be communicating with the inside network. However, we have a websense server and want to enable URL filtering on it to filter the internet bound traffic for the dmz segment. The server is on the inside network and currently functions fine for filtering traffic for inside hosts. Apparently a while back someone tried to enable the filtering for the DMZ and it never worked, so they disabled it. I don't have any details on it or why it didn't work. All I can tell you at the point is they want to try it again. How does this work for the dmz internet bound requests? does the ASA make the request on behalf, or do I need to allow the http requests for the dmz segment into the inside to the websense server? What is needed to make this work? I believe the inside network does have a route to the DMZ segment, as an fyi.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Fri, 01/09/2009 - 12:05
User Badges:
  • Purple, 4500 points or more

You'll need to create a static NAT so the DMZ servers can talk to the websense server. You should create an ACL and apply it to the dmz interface, only allowing necessary ports/protocols.

static (inside,dmz) [websense server ip] [websense server ip] netmask

You'll need to create a static for each internal server you want to talk to (if you use your private DNS server for the dmz servers.

Hope that helps

mjsully Fri, 01/09/2009 - 12:25
User Badges:

ok, so you are saying I need to create a NAT for the websense, then create and acl for the dmz interface, allowing http/https traffic to the websense box? I'm confused as to where in the process the ASA itself comes in as far as communicating with websense. If I am a worksation in the DMZ, and I make an internet request, I send a packet to the DMZ interface on the ASA. At this point I would think no ACL would come into play. And then the ASA would see that it's supposed to forward the request to the websense server. So at that point is the source ip the firewall or the workstation when it hits the websense server?

Collin Clark Fri, 01/09/2009 - 12:27
User Badges:
  • Purple, 4500 points or more

I'm assuming you have the proxy information configured in your browsers. Is that correct or are you running WCCP?

mjsully Fri, 01/09/2009 - 13:07
User Badges:

no, there is no proxy info configured. all of the workstations in the dmz are wireless guests, who only need to connect to the internet. We just want to be able to filter it through websense first, but are unsure as to how.

Collin Clark Fri, 01/09/2009 - 13:10
User Badges:
  • Purple, 4500 points or more

Are your internal clients browsers configured or are you using WCCP?

mjsully Fri, 01/09/2009 - 18:19
User Badges:

Not sure where you are going with this. No, the internal clients are not using a proxy either, and we are not running WCCP. The firewall intercepts the internet requests from users on the inside when they go to the internet, and sends it back inside to the Websense server. There is nothing hardcoded on the worksstation to make this work.

helios999 Tue, 01/13/2009 - 21:10
User Badges:

In our company we have a proxy server that filters url but it is located in the DMZ. Our clients are located in the Inside interface and we just make an ACL so that all web request are re-directed to our proxy server.


This Discussion