We have Websense running in the environment. The core switches (CAT6500) use a SPAN port to traverse Internet destined traffic to Websense and that works just fine. However, we have Remote Access VPN users that terminate on an ASA5520 and their traffic is not going through Websense as the SPAN'ing is done on the INSIDE interface of the firewall and VPN is on the OUTSIDE of the firewall.
An idea that was proposed was:
create a route map that catches traffic that :
- remote access vpn traffic (based on the ip pool) and that
- coming from the outside interface
and make the default route for this traffic the internal network. This way users who come as remote access vpn will come from the INSIDE when hitting the Internet.
Configuring the ASA to talk to websense was in fact plan A, but I had to roll back to spanning port, because the configuration you recommend is limited to a specific number of ports. We want websense to monitor ALL ports, that is why we span the INSIDE interface of the firewall to websense.
What about creating a route-map on the firewall to send traffic coming from ra-vpn to the core switches? will that work?
So when you add a rule, you are limited only to those ports. We need to be able to capture ALL outgoing ports to the Internet on Websense, this applies to remote access vpn users, thus the need to use this as opposed to spanning. But again, we cannot be limited by ports.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...