Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

need help with ASA as it relates to URL filtering

We have an ASA firewall with 3 active interfaces on it. Inside,outside,and a dmz interface. We have workstations in the DMZ that only communicate with the internet. The Sec level for this interface is 50. There is no ACL or NAT's in place as the dmz segment should not be communicating with the inside network. However, we have a websense server and want to enable URL filtering on it to filter the internet bound traffic for the dmz segment. The server is on the inside network and currently functions fine for filtering traffic for inside hosts. Apparently a while back someone tried to enable the filtering for the DMZ and it never worked, so they disabled it. I don't have any details on it or why it didn't work. All I can tell you at the point is they want to try it again. How does this work for the dmz internet bound requests? does the ASA make the request on behalf, or do I need to allow the http requests for the dmz segment into the inside to the websense server? What is needed to make this work? I believe the inside network does have a route to the DMZ segment, as an fyi.

7 REPLIES

Re: need help with ASA as it relates to URL filtering

You'll need to create a static NAT so the DMZ servers can talk to the websense server. You should create an ACL and apply it to the dmz interface, only allowing necessary ports/protocols.

static (inside,dmz) [websense server ip] [websense server ip] netmask 255.255.255.255

You'll need to create a static for each internal server you want to talk to (if you use your private DNS server for the dmz servers.

Hope that helps

New Member

Re: need help with ASA as it relates to URL filtering

ok, so you are saying I need to create a NAT for the websense, then create and acl for the dmz interface, allowing http/https traffic to the websense box? I'm confused as to where in the process the ASA itself comes in as far as communicating with websense. If I am a worksation in the DMZ, and I make an internet request, I send a packet to the DMZ interface on the ASA. At this point I would think no ACL would come into play. And then the ASA would see that it's supposed to forward the request to the websense server. So at that point is the source ip the firewall or the workstation when it hits the websense server?

Re: need help with ASA as it relates to URL filtering

I'm assuming you have the proxy information configured in your browsers. Is that correct or are you running WCCP?

New Member

Re: need help with ASA as it relates to URL filtering

no, there is no proxy info configured. all of the workstations in the dmz are wireless guests, who only need to connect to the internet. We just want to be able to filter it through websense first, but are unsure as to how.

Re: need help with ASA as it relates to URL filtering

Are your internal clients browsers configured or are you using WCCP?

New Member

Re: need help with ASA as it relates to URL filtering

Not sure where you are going with this. No, the internal clients are not using a proxy either, and we are not running WCCP. The firewall intercepts the internet requests from users on the inside when they go to the internet, and sends it back inside to the Websense server. There is nothing hardcoded on the worksstation to make this work.

New Member

Re: need help with ASA as it relates to URL filtering

In our company we have a proxy server that filters url but it is located in the DMZ. Our clients are located in the Inside interface and we just make an ACL so that all web request are re-directed to our proxy server.

149
Views
0
Helpful
7
Replies
CreatePlease to create content