01-09-2009 11:49 AM - edited 03-11-2019 07:35 AM
We have an ASA firewall with 3 active interfaces on it. Inside,outside,and a dmz interface. We have workstations in the DMZ that only communicate with the internet. The Sec level for this interface is 50. There is no ACL or NAT's in place as the dmz segment should not be communicating with the inside network. However, we have a websense server and want to enable URL filtering on it to filter the internet bound traffic for the dmz segment. The server is on the inside network and currently functions fine for filtering traffic for inside hosts. Apparently a while back someone tried to enable the filtering for the DMZ and it never worked, so they disabled it. I don't have any details on it or why it didn't work. All I can tell you at the point is they want to try it again. How does this work for the dmz internet bound requests? does the ASA make the request on behalf, or do I need to allow the http requests for the dmz segment into the inside to the websense server? What is needed to make this work? I believe the inside network does have a route to the DMZ segment, as an fyi.
01-09-2009 12:05 PM
You'll need to create a static NAT so the DMZ servers can talk to the websense server. You should create an ACL and apply it to the dmz interface, only allowing necessary ports/protocols.
static (inside,dmz) [websense server ip] [websense server ip] netmask 255.255.255.255
You'll need to create a static for each internal server you want to talk to (if you use your private DNS server for the dmz servers.
Hope that helps
01-09-2009 12:25 PM
ok, so you are saying I need to create a NAT for the websense, then create and acl for the dmz interface, allowing http/https traffic to the websense box? I'm confused as to where in the process the ASA itself comes in as far as communicating with websense. If I am a worksation in the DMZ, and I make an internet request, I send a packet to the DMZ interface on the ASA. At this point I would think no ACL would come into play. And then the ASA would see that it's supposed to forward the request to the websense server. So at that point is the source ip the firewall or the workstation when it hits the websense server?
01-09-2009 12:27 PM
I'm assuming you have the proxy information configured in your browsers. Is that correct or are you running WCCP?
01-09-2009 01:07 PM
no, there is no proxy info configured. all of the workstations in the dmz are wireless guests, who only need to connect to the internet. We just want to be able to filter it through websense first, but are unsure as to how.
01-09-2009 01:10 PM
Are your internal clients browsers configured or are you using WCCP?
01-09-2009 06:19 PM
Not sure where you are going with this. No, the internal clients are not using a proxy either, and we are not running WCCP. The firewall intercepts the internet requests from users on the inside when they go to the internet, and sends it back inside to the Websense server. There is nothing hardcoded on the worksstation to make this work.
01-13-2009 09:10 PM
In our company we have a proxy server that filters url but it is located in the DMZ. Our clients are located in the Inside interface and we just make an ACL so that all web request are re-directed to our proxy server.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: