We have a Cisco ASA firewall in our office. This firewall is used to isolate consultants working for us on a project for us in a seperate network. They bring their own laptop and connect it to consultant subnet. These consultants are only allowed to access internet (http/https traffic) or vpn etc. The firewall rules are implemented on outside interface. To access internet they have to go through our Inside interface & eventually through our Enterprise firewall (seperate from this).
The outside interface (security 0) of Cisco ASA is connected to consultants subnet & inside interface (security 100) is connected to out Production netowrk.
We are trying to implement WebSense integration with Cisco ASA 5510. I have followed instructions from Cisco configuration guide to configure filter rules & specifing url server. But it is not working.
After troubleshooting the problems I found out that HTTP request that originate from a high security level interface destined for a lower security level will trigger the URL filtering. But a HTTP request that originates on a lower security level interface destined for a higher security level interface will skip the URL filtering.
I suspect that the issue lies somewhere with interface security levels and URL filtering. Security levels of the ASA interface are as follows:
Inside interface security level: 100
Outside interface security level 0
So before I go messing with security levels, I wanted to get a 2nd opinion on this issue.
For Websence, only traffic flow from higher to lower security is filtered.
Workaround : Configure another router on a DMZ interface of the ASA and loop the remote traffic back to the dmz interface of the ASA. This flow now would appear to come from higher to lower security (dmz --->outside) and then to the internet. Websense can hence filter this traffic.
So you also agree that traffic from Higher to lower security is filtered but not the other way round. I did not find any references where Cisco have mentioned about that fact. Do you think I should open a TAC case with Cisco or should I just go with the work around suggested by you. Or is it from Cisco. Let me know....
Also let me know what implications I will have if I change the security number of Outside to 100 & inside to 0.As the traffic is still controlled by access-list applied on inside interface & outside interface.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...