Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to configure Websense on ASA 5520 Firewall?

Hi Everyone,

I am new to Learner to ASA Firewall. Recently we have purchased ASA 5520 with following version:

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

 ASA 5520 Adaptive Security Appliance 

 ASA 5500 Series Content Security Services Mo ASA-SSM-CSC-10-K9

 

I have configured the ASA with basic configuration. Now i want to implement the webfiltering using Websense on ASA firewall. I dont have any idea about the requirement for this configuration.

I have found the configuration line from google but it seems not working.

My ASA is configured with:

1. outside

2. inside

3. DMZ

I came across with one solution where the websense is configured with DMZ, and i tried in same manner but when i checked the websense server statistics, it shows "DOWN".

I used following line:

 

url-server (DMZ) vendor websense host 192.168.1.251 timeout 30 protocol TCP version 4 connections 30
filter url 443 192.168.1.0 255.255.255.0 31.13.68.49 255.255.255.255 allow proxy-block longurl-truncate cgi-truncate
filter url except 192.168.1.251 255.255.255.255 0.0.0.0 0.0.0.0 allow
url-cache dst 100
url-block url-mempool 2
url-block url-size 2
url-block block 10

Basically i want to completely block the social websites. I can use the CSC content filtering but when user use the proxy utility then blocked websites gets opened.

 

Please help me out.

 

Thanks

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Yes, and I believe that you

Yes, and I believe that you can install it on a windows server or there is an appliance from websense but you would need to talk to them for details.

Value our effort and rate the assistance!
8 REPLIES
Hall of Fame Super Silver

Can you reach (ping) the

Can you reach (ping) the Websense server from your ASA?

If so, have you added the ASA as an integrated device on the Websense console? (Reference)

New Member

@ Marvin Rhoads & jumora:

@ Marvin Rhoads & jumora:

 

Thanks for the response. Since i am new to websense i have few questions which i need to know:

 

1. Do we need to have separate PC to configure as Websense server? If yes then how?

2. Does this websense server will filter the website completely? Since the network users they are pretty smart enough as they use third party PROXY utility to bypass the blocked website.

3. Will it effect the performance of ASA after configuring the websense?

 

Thanks

Silver

Websense is a third party

Websense is a third party product that works in conjunction with the ASA so you need to purchase it.

 

2. The ASA has an option with the websense (url-filtering) configuration to block proxy but now in days people use all type of proxies so you might need to monitor your network connections or block any unknown port to go out through the firewall.

 

The ASA URL filtering document, you will find the proxy-block option:

 

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97277-pix-asa-url-filtering.html#task3

 

Each function has some sort of impact, will it be positive or negative, I've seen a lot of ASA configured with websense without any problems if that is what you are asking.

Value our effort and rate the assistance!
New Member

Hi,Do i need to prepare

Hi,

Do i need to prepare separate machine as a websense server?

Silver

What do you mean by that

What do you mean by that question:

Do i need to prepare separate machine as a websense server?

The question is related to websense requirements I believe that there are several options, you get a server or you buy the appliance.

 

For further details please ask websense vendor.

Value our effort and rate the assistance!
New Member

Hi,I mean to say about this

Hi,

I mean to say about this line:

url-server (if_name) vendor websense host <IP of Websense server > protocol tcp version 

where it says <IP Address of Websense server>, what ip address shall i give here, if it is talking about websense server then i mean to ask, is it require to have a Server or Computer to configure as websense server?

 

THanks

Silver

Yes, and I believe that you

Yes, and I believe that you can install it on a windows server or there is an appliance from websense but you would need to talk to them for details.

Value our effort and rate the assistance!
Silver

First: Wrong command:no

First:

 

Wrong command:

no filter url 443 192.168.1.0 255.255.255.0 31.13.68.49 255.255.255.255 allow proxy-block longurl-truncate cgi-truncate

Correct command

filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

 

Wrong command:

no filter url except 192.168.1.251 255.255.255.255 0.0.0.0 0.0.0.0 allow

 

Correct command:

 

filter url except 192.168.1.251 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block longurl-truncate cgi-truncate

 

Please get complete TCP/IP configuration from server and remove and re-add all websense related configuration.

 

https://tools.cisco.com/bugsearch/bug/CSCto58232

 

https://tools.cisco.com/bugsearch/bug/CSCtx20108

 

FYI this article is pretty nice:

http://es.websense.com/support/article/t-kbarticle/Configure-PIX-Firewall-ASA-for-Websense-Integration

Value our effort and rate the assistance!
2700
Views
0
Helpful
8
Replies