Integrating Websense with Cisco ASA

Unanswered Question
Dec 17th, 2009

We have a Cisco ASA firewall in our office. This firewall is used to isolate consultants working for us on a project for us in a seperate network. They bring their own laptop and connect it to consultant subnet. These consultants are only allowed to access internet (http/https traffic) or vpn etc. The firewall rules are implemented on outside interface. To access internet they have to go through our Inside interface & eventually through our Enterprise firewall (seperate from this).

The outside interface (security 0) of Cisco ASA is connected to consultants subnet & inside interface (security 100) is connected to out Production netowrk.

We are trying to implement WebSense integration with Cisco ASA 5510. I have followed instructions from Cisco configuration guide to configure filter rules & specifing url server. But it is not working.

After troubleshooting the problems I found out that HTTP request that originate from a high security level interface destined for a lower security level will trigger the URL filtering. But a HTTP request that originates on a lower security level interface destined for a higher security level interface will skip the URL filtering.

I suspect that the issue lies somewhere with interface security levels and URL filtering. Security levels of the ASA interface are as follows:

Inside interface security level: 100

Outside interface security level 0

So before I go messing with security levels, I wanted to get a 2nd opinion on this issue.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
PAUL GILBERT ARIAS Thu, 12/17/2009 - 14:36

Can you tell what are the commands that you have applied on the ASA related to the URL filtering?

Please attach the show run url-server and the show run filter.

I believe that you are missing the filter command on the lower security interface.

Parminder Sian Thu, 12/17/2009 - 22:22

Hi,

For Websence, only traffic flow from higher to lower security is filtered.

Workaround : Configure another router on a DMZ interface of the ASA and loop the
remote traffic back to the dmz interface of the ASA. This flow now would appear to come
from higher to lower security (dmz --->outside) and then to the internet. Websense can
hence filter this traffic.

Hope this helps.

Regards,

Sian

dharmendra2shah Tue, 12/22/2009 - 09:07

Parminder,

So you also agree that traffic from Higher to lower security is filtered but not the other way round. I did not find any references where Cisco have mentioned about that fact. Do you think I should open a TAC case with Cisco or should I just go with the work around suggested by you. Or is it from Cisco. Let me know....

Also let me know what implications I will have if I change the security number of Outside to 100 & inside to 0.As the traffic is still controlled by access-list applied on inside interface & outside interface.

Thanks, Ds

Actions

This Discussion