Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 & Websense


I've just installed a standalone version of Websense security suite in my DMZ.

My users are connected to Internet through an ASA 5520. I would like that the ASA intercept the url requests and send it to the websense for approbation.

I use the "url-XXXX" set of commands in my asa.

url-server (dmz) vendor websense host WEBSENSE timeout 30 protocol TCP version 4 connections 5

url-cache dst 100

filter url http users_ipaddress allow proxy-block longurl-truncate cgi-truncate

url-block url-mempool 2

url-block url-size 2

url-block block 10

I would like to know what contain the packet sent by the ASA to the websense ? Only the user ip address and the destination url ?

Actually I would like to be able to create groups in the websense connected to the AD Database but i'm not sure the ASA is sending me the credentials. Is there a way to do that ?




Re: ASA 5520 & Websense

The ASA ask to the Websense if the user is allow to access that specific website. If not the ASA blocks the request. The websense only respond to the question from the ASA, The ASA is who block the request or allow it.

The websense can block with:

destination hostname

destination IP address


user name

All that information is forwarded to the Websense server.

Hope It helps.

New Member

Re: ASA 5520 & Websense

It seems that the username is forwarded to the websense if user authentication is enabled on the security appliance. Is this a way to setup transparent authentication in order to simply forward the username request to the websense ?

Re: ASA 5520 & Websense

This information is in the link that I gave u.


Software version 7.x and later:

pix(config)# url-server (if_name) host local_ip [timeout seconds] [protocol TCP | UDP version 1|4

[connections num_conns] ]

Replace if_name with the name of the security appliance interface that is connected to the filtering server. The default is inside. Replace local_ip with the IP address of the filtering server. Replace seconds with the number of seconds the security appliance must continue to try to connect to the filtering server.

Use the protocol option in order to specify whether you want to use TCP or UDP. With a Websense server, you can also specify the version of TCP you want to use. TCP version 1 is the default. TCP version 4 allows the PIX firewall to send authenticated user names and URL logging information to the Websense server if the PIX firewall has already authenticated the user.

For example, in order to identify a single Websense filtering server, issue this command:

hostname(config)#url-server (DMZ) vendor websense host protocol TCP version 4

Please let me know if this is what u were looking for.


New Member

Re: ASA 5520 & Websense

In your quote :

"the PIX firewall to send authenticated user names and URL logging information to the Websense server if the PIX firewall has already authenticated the user. "

How can I proceeed to transparent authenticate the user in the firewall ?