03-13-2009 12:26 PM - edited 03-11-2019 08:04 AM
We have Websense running in the environment. The core switches (CAT6500) use a SPAN port to traverse Internet destined traffic to Websense and that works just fine. However, we have Remote Access VPN users that terminate on an ASA5520 and their traffic is not going through Websense as the SPAN'ing is done on the INSIDE interface of the firewall and VPN is on the OUTSIDE of the firewall.
An idea that was proposed was:
create a route map that catches traffic that :
- remote access vpn traffic (based on the ip pool) and that
- coming from the outside interface
and make the default route for this traffic the internal network. This way users who come as remote access vpn will come from the INSIDE when hitting the Internet.
Will that work?
03-20-2009 05:11 AM
Ron,
Why don't you just configure the firewall to send traffic to the WebSense server.
Create an exception for the traffic being handled by the core switches - then everything else (including the RVPN) traffic gets sent.
HTH>
03-20-2009 07:30 AM
Andrew is correct...
If not already configured, set up the ASA to talk to Websense:
url-server (inside) vendor websense host x.x.x.x timeout 30 protocol TCP version 4 connections X
Then, filter the traffic from the VPN - assuming this traffic is on a seperate subnet or IP pool it should be this easy:
filter https 443
filter url http
03-20-2009 01:06 PM
Configuring the ASA to talk to websense was in fact plan A, but I had to roll back to spanning port, because the configuration you recommend is limited to a specific number of ports. We want websense to monitor ALL ports, that is why we span the INSIDE interface of the firewall to websense.
What about creating a route-map on the firewall to send traffic coming from ra-vpn to the core switches? will that work?
03-20-2009 01:15 PM
The ASA does not support PBR.
Confused - when you say "limited to a specific number of ports" - please explain?
03-24-2009 10:25 AM
HI Andrew,
By that I mean, if you enable the URL filtering on the firewall (on the global config) as opposed to using a spanning port, you can only capture so many protocols, take a look at this:
Look at the following section:
Configure the ASA/PIX with ASDM
Step #5
So when you add a rule, you are limited only to those ports. We need to be able to capture ALL outgoing ports to the Internet on Websense, this applies to remote access vpn users, thus the need to use this as opposed to spanning. But again, we cannot be limited by ports.
How did you resolve this issue?
03-25-2009 12:11 AM
I am not sure I completely understand, the Websense config in the ASA is a "URL/HTTP/HTTPS" redirect/scanning tool.
If you are worried about "Other" protocols/ports getting by the Websense filter from the ASA the solution is easy.
Write an ACL in traffic coming into the inside interface that only allows HTTP/HTTPS, and other network related tools, like ICMP/SMTP/IMAP & POP3.
Even if users try to HTTP Tunnel - Websense will catch it. If you also log the explicit deny any any log at the end of the ACL - you will see the naughty connection attemps for P2P etc.
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide