Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5140
Views
0
Helpful
3
Replies

Integrating Websense with Cisco ASA

dharmendra2shah
Level 1
Level 1

‎12-17-2009 10:31 AM - edited ‎03-11-2019 09:49 AM

We have a Cisco ASA firewall in our office. This firewall is used to isolate consultants working for us on a project for us in a seperate network. They bring their own laptop and connect it to consultant subnet. These consultants are only allowed to access internet (http/https traffic) or vpn etc. The firewall rules are implemented on outside interface. To access internet they have to go through our Inside interface & eventually through our Enterprise firewall (seperate from this).

The outside interface (security 0) of Cisco ASA is connected to consultants subnet & inside interface (security 100) is connected to out Production netowrk.

We are trying to implement WebSense integration with Cisco ASA 5510. I have followed instructions from Cisco configuration guide to configure filter rules & specifing url server. But it is not working.

After troubleshooting the problems I found out that HTTP request that originate from a high security level interface destined for a lower security level will trigger the URL filtering. But a HTTP request that originates on a lower security level interface destined for a higher security level interface will skip the URL filtering.

I suspect that the issue lies somewhere with interface security levels and URL filtering. Security levels of the ASA interface are as follows:

Inside interface security level: 100

Outside interface security level 0

So before I go messing with security levels, I wanted to get a 2nd opinion on this issue.

Labels:
0 Helpful
3 Replies 3

PAUL GILBERT ARIAS
Level 5
Level 5

‎12-17-2009 02:36 PM

Can you tell what are the commands that you have applied on the ASA related to the URL filtering?

Please attach the show run url-server and the show run filter.

I believe that you are missing the filter command on the lower security interface.

0 Helpful

Parminder Sian
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎12-17-2009 10:22 PM

Hi,

For Websence, only traffic flow from higher to lower security is filtered.

Workaround : Configure another router on a DMZ interface of the ASA and loop the
remote traffic back to the dmz interface of the ASA. This flow now would appear to come
from higher to lower security (dmz --->outside) and then to the internet. Websense can
hence filter this traffic.

Hope this helps.

Regards,

Sian

0 Helpful

dharmendra2shah
Level 1
Level 1
In response to Parminder Sian

‎12-22-2009 09:07 AM

Parminder,

So you also agree that traffic from Higher to lower security is filtered but not the other way round. I did not find any references where Cisco have mentioned about that fact. Do you think I should open a TAC case with Cisco or should I just go with the work around suggested by you. Or is it from Cisco. Let me know....

Also let me know what implications I will have if I change the security number of Outside to 100 & inside to 0.As the traffic is still controlled by access-list applied on inside interface & outside interface.

Thanks, Ds

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card