Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 Remote Site Internet Access

I'm setting up a new ASA 5510 and have 5 remote sites that connect back with site-to-site tunnels. We want to force their internet access through our websense server. I know I can do split tunneling but this won't force it to go through websense. Is there any way to allow the VPN traffic that comes in to go back out the connection for internet access of the centralized ASA?

11 REPLIES
Green

Re: ASA 5510 Remote Site Internet Access

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

New Member

Re: ASA 5510 Remote Site Internet Access

Thanks that is exactly what I was looking for.

New Member

Re: ASA 5510 Remote Site Internet Access

If you are using ASA 5505's or similar at the remote locations you can use the 'url-server' and 'filter' commands to have your centralized Websense server approve http connections. If you have Internet traffic going out locally through the remote ASA's you can still require that the Websense server approve connectivity.

Check the ASA v7.2 command reference guide to see more about the 'url-server' and 'filter' commands.

New Member

Re: ASA 5510 Remote Site Internet Access

Good point that seems like a more efficient design. Do you know if a PIX 501 can do this?

New Member

Re: ASA 5510 Remote Site Internet Access

Yes, I've implemented it with a Pix 501 as the remote devices and a Pix 515e as the head-end device. Should be no problem using a Pix 501 to connect to an ASA 5510 as long as your IPSEC config, etc is all correct.

The caveat is that it takes awhile for the http request/response from the Websense server to traverse the IPSEC tunnel and return. When I encountered performance problems I started using the timeout and caching parameters of the url-server command to improve performance.

New Member

Re: ASA 5510 Remote Site Internet Access

Were you running 6.x code?

Green

Re: ASA 5510 Remote Site Internet Access

You have no other option on a 501, they don't support v. 7.

New Member

Re: ASA 5510 Remote Site Internet Access

Did you use DMVPN or regular site-to-site tunnels?

New Member

Re: ASA 5510 Remote Site Internet Access

Site to site tunnels, about 50+ total coming into a Pix 515e running v7.x code.

New Member

Re: ASA 5510 Remote Site Internet Access

That's exactly what I'm setting up not as many sites though. Thanks for the help.

New Member

Re: ASA 5510 Remote Site Internet Access

Are you using Easy VPN?

356
Views
4
Helpful
11
Replies