Solved: Re: What is a good webfilter to use???

cisco_himg · ‎07-26-2009

I am considering a Barracuda web filter, but i did see others such as IronPort, SonicWall.

I am however, NOT considering websense. I have it and currently hate it. I would rather have hardware rather than software.

Any ideas?

Collin Clark · ‎07-27-2009

Cool. The ACL RESTRICT_SMTP is applied to the inside_vlan17 interface. When you move the IP over to gi0/3, remove the ACL then apply to the new interface.

no access-group RESTRICT_SMTP in interface inside_vlan17

access-group RESTRICT_SMTP in interface new_inside_vlan17

View solution in original post

Collin Clark · ‎07-27-2009

I have a customer that loves Barracuda. I have another customer that loves IronPort. We've used webwasher and BlueCoat, both work find, just expensive. Note that Webwasher can not load balance natively. In the past I've used Squid and had good success with it.

cisco_himg · ‎07-27-2009

Awesome, I just purchase a Barracuda. I already have their Spam Firewall, and love it, so I am looking forward to getting it.

I am disappointed that I cant use it over a trunk link, but i do have a question..Take a look at the attached pic.

Our MAIN Vlan 17 is the one we use, all the other ones are for our tennants. If I move the Gig 0/1.17 to Gig 0/3, would that work?

Would there be any other settings I would need to do? and would you recommend?

cisco_himg · ‎07-27-2009

SOrry, i forgot to attached the pic. Here it is. :)

Collin Clark · ‎07-27-2009

That should work fine. Just remember to set your security level on the interface, the ACL, and any NAT.

cisco_himg · ‎07-27-2009

I understand putting our security level on the Interface, but what do you mean by ACL, and NAT.. I thought they would just see the interface once i configured it and just go with it. This is my first time setting this up, so I am still learning. I thought the ACL and NAT settings would stay the same?

Collin Clark · ‎07-27-2009

They can. For the ACL you will need to move it to the new interface. NAT will most likely stay the same as long as your address space doesn't change (which I assumed it wouldn't, but just wanted to mention it.)

cisco_himg · ‎07-27-2009

Ok, yes the NAT will stay the same...Can you give me a example of which ones i need to move? Keep in mind, i am new :)

cisco_himg · ‎07-27-2009

and all subnets are staying the same. 172.17.0.2

Collin Clark · ‎07-27-2009

Let's say you have an ACL (let's call it inside_access) applied to the inside interface. We remove it from the old interface (inside) and apply it to the new interface (inside_1).

no access-group inside_access in interface inside

access-group inside_access in interface inside_1

Even if you keep the same name for the interfaces, when the original one is deleted the ACL will automatically be removed so you will still ehve to re-apply it.

cisco_himg · ‎07-27-2009

Ok i understand, however, these are all my ACL's, i dont see where it says Interface ******* to change it...see attached....

Collin Clark · ‎07-27-2009

It's only a partial config and the relevant info is a little further down. However you have an ACL named inside_out that is probably applied to the inside interface. Try this command and see if you see where the ACLs are applied-

show run | i access-group

cisco_himg · ‎07-27-2009

himg-asa# show running-config | i access-group

access-group outside_in in interface outside per-user-override

access-group RESTRICT_SMTP in interface inside_vlan17

access-group dmz_in in interface dmz

Collin Clark · ‎07-27-2009

Cool. The ACL RESTRICT_SMTP is applied to the inside_vlan17 interface. When you move the IP over to gi0/3, remove the ACL then apply to the new interface.

no access-group RESTRICT_SMTP in interface inside_vlan17

access-group RESTRICT_SMTP in interface new_inside_vlan17

cisco_himg · ‎07-27-2009

THank you!!! I rated you 5!..

THanks for taking time out of your day for me...

Dustin