Re: VPN & Websense

ronshuster · ‎03-13-2009

We have Websense running in the environment. The core switches (CAT6500) use a SPAN port to traverse Internet destined traffic to Websense and that works just fine. However, we have Remote Access VPN users that terminate on an ASA5520 and their traffic is not going through Websense as the SPAN'ing is done on the INSIDE interface of the firewall and VPN is on the OUTSIDE of the firewall.

An idea that was proposed was:

create a route map that catches traffic that :

- remote access vpn traffic (based on the ip pool) and that

- coming from the outside interface

and make the default route for this traffic the internal network. This way users who come as remote access vpn will come from the INSIDE when hitting the Internet.

Will that work?

andrew.prince · ‎03-20-2009

Ron,

Why don't you just configure the firewall to send traffic to the WebSense server.

Create an exception for the traffic being handled by the core switches - then everything else (including the RVPN) traffic gets sent.

HTH>

dgroscost · ‎03-20-2009

Andrew is correct...

If not already configured, set up the ASA to talk to Websense:

url-server (inside) vendor websense host x.x.x.x timeout 30 protocol TCP version 4 connections X

Then, filter the traffic from the VPN - assuming this traffic is on a seperate subnet or IP pool it should be this easy:

filter https 443 0 0

filter url http 0 0

ronshuster · ‎03-20-2009

Configuring the ASA to talk to websense was in fact plan A, but I had to roll back to spanning port, because the configuration you recommend is limited to a specific number of ports. We want websense to monitor ALL ports, that is why we span the INSIDE interface of the firewall to websense.

What about creating a route-map on the firewall to send traffic coming from ra-vpn to the core switches? will that work?

andrew.prince · ‎03-20-2009

The ASA does not support PBR.

Confused - when you say "limited to a specific number of ports" - please explain?

ronshuster · ‎03-24-2009

HI Andrew,

By that I mean, if you enable the URL filtering on the firewall (on the global config) as opposed to using a spanning port, you can only capture so many protocols, take a look at this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

Look at the following section:

Configure the ASA/PIX with ASDM

Step #5

So when you add a rule, you are limited only to those ports. We need to be able to capture ALL outgoing ports to the Internet on Websense, this applies to remote access vpn users, thus the need to use this as opposed to spanning. But again, we cannot be limited by ports.

How did you resolve this issue?

andrew.prince · ‎03-25-2009

I am not sure I completely understand, the Websense config in the ASA is a "URL/HTTP/HTTPS" redirect/scanning tool.

If you are worried about "Other" protocols/ports getting by the Websense filter from the ASA the solution is easy.

Write an ACL in traffic coming into the inside interface that only allows HTTP/HTTPS, and other network related tools, like ICMP/SMTP/IMAP & POP3.

Even if users try to HTTP Tunnel - Websense will catch it. If you also log the explicit deny any any log at the end of the ACL - you will see the naughty connection attemps for P2P etc.

HTH>