Allow mode on for ASA?

Answered Question
Aug 6th, 2010

We are setting up a websense url-filter for our location. We have the following set up for our routers that are doing auth-proxy and we have no issues with this.

    ip inspect name websenseinternet http urlfilter
    ip urlfilter urlf-server-log
    ip urlfilter server vendor websense 172.20.63.75
    ip urlfilter allow-mode on

These commands suit my company's needs no problem. We had to put the allow-mode on becasue the server locked up one day and the routers were denying all internet traffic.

My question, is there any allow-mode on commands for pix/asa devices? Any help will be greatly appreciated.

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 4 months ago

Hello,

Yes, even pix/ASA have allow mode. At the end of "filter" statement you need

to add "allow" keyword which will ensure that the firewall will forward

traffic when the filtering server is unavailable.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura...

_example09186a008088517b.shtml

Hope this helps.

Regards,

NT

Correct Answer by mirober2 about 6 years 4 months ago

Hello,

The equivalent functionality on the ASA is to use the 'allow' keyword when you setup the 'filter url' command that passes traffic to the filtering server. Here is the command reference for it:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1933061

allow

When the server is unavailable, let outbound connections pass through the security appliance without filtering. If you omit this option, and if the N2H2 or Websense server goes off line, the security appliance stops outbound port 80 (Web) traffic until the N2H2 or Websense server is back on line.

Hope that helps.

-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
mirober2 Fri, 08/06/2010 - 06:54

Hello,

The equivalent functionality on the ASA is to use the 'allow' keyword when you setup the 'filter url' command that passes traffic to the filtering server. Here is the command reference for it:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1933061

allow

When the server is unavailable, let outbound connections pass through the security appliance without filtering. If you omit this option, and if the N2H2 or Websense server goes off line, the security appliance stops outbound port 80 (Web) traffic until the N2H2 or Websense server is back on line.

Hope that helps.

-Mike

Actions

This Discussion

Related Content