I'm setting up a new ASA 5510 and have 5 remote sites that connect back with site-to-site tunnels. We want to force their internet access through our websense server. I know I can do split tunneling but this won't force it to go through websense. Is there any way to allow the VPN traffic that comes in to go back out the connection for internet access of the centralized ASA?
same-security-traffic permit intra-interface
global (outside) 1 interface
nat (outside) 1
If you are using ASA 5505's or similar at the remote locations you can use the 'url-server' and 'filter' commands to have your centralized Websense server approve http connections. If you have Internet traffic going out locally through the remote ASA's you can still require that the Websense server approve connectivity.
Check the ASA v7.2 command reference guide to see more about the 'url-server' and 'filter' commands.
Yes, I've implemented it with a Pix 501 as the remote devices and a Pix 515e as the head-end device. Should be no problem using a Pix 501 to connect to an ASA 5510 as long as your IPSEC config, etc is all correct.
The caveat is that it takes awhile for the http request/response from the Websense server to traverse the IPSEC tunnel and return. When I encountered performance problems I started using the timeout and caching parameters of the url-server command to improve performance.