Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1285
Views
0
Helpful
3
Replies

ASA with Websense filtering traffic on DMZ not working

srosenthal
Level 4
Level 4

‎09-03-2013 07:45 AM - edited ‎03-11-2019 07:33 PM

I have a Cisco ASA firewall that is setup with an inside interface and a DMZ interface.  I also have a Websense content filter that is currently filtering traffic succesfully on the inside interface.

I setup a DMZ port for our guest wireless network and traffic is flowing just fine over this interface and out to the internet.  I want to be able to filter this traffic just like I filter the internal traffic.

I configured the ASA for the WCCP redirect for the DMZ interface and when I do then no traffic is allowed out to the internet and I am not getting any response from the Websense.

Here is the config before any changes to the WCCP config from the ASA:

wccp 0 redirect-list WCCP group-list PROXY-WS

wccp 70 redirect-list WCCP group-list PROXY-WS

wccp interface inside 0 redirect in

wccp interface inside 70 redirect in

I added the following lines to the ASA and after I did this traffic over the DMZ port stopped.  Internal traffic continued to work fine and is filtered.

wccp interface DMZ 0 redirect in

wccp interface DMZ 70 redirect in

Here is the PROXY-WS command

access-list PROXY-WS extended permit ip host 128.1.0.98 any

Any help is greatly appreciated.

Seth

1 person had this problem
Labels:
0 Helpful
3 Replies 3

l-mathews
Level 1
Level 1

‎09-10-2013 06:33 AM

How did you get wccp redirection to websense working fine on inside interface.

We are having issues with this.  Apparently, websense and client needs to be on the same interface.

Websense also needs a route (def gw) to internet. Def GW can't be same as the interface doing redirection

For instance is inside is 10.1.1.1, and websense is 10.1.1.1.20, client is 10.120.0.10 (reachable via the inside interface)

Websense's defaut gw can't be 10.1.1.1

Websense needs a route to the client and internet.  How did you make it work.

I wish wccp redirection didnt have to be applied to an interface. There should be a global option (like global access-list) or

configured under application inspection.

Let me know, Thanks

0 Helpful

Ivaylo Georgiev
Level 1
Level 1

‎10-15-2013 12:59 PM

Did you resolve this?

0 Helpful

srosenthal
Level 4
Level 4
In response to Ivaylo Georgiev

‎10-15-2013 03:34 PM

Yes.  I had to put the guest network on the same interface on the ASA as the inside network.  The Websense does not support the setup i was trying to use it as.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card