Solved: Re: URL filtering on ASA across tunnel

jvardhan29 · ‎11-21-2010

hi

iam not sure to put this thread in which section whether in firewall or vpn . i want to know if we can configure URL Filtering with websense across the VPN.If yes , how can we do the same and if we can do for both site to site and remote access?. consider a following example with websense on the DMZ of ASA1 .Now if Site 2 wants to send across its users to Site 1 for URL Filtering and then U-Turn it out with its(ASA1) internet (with the ASA1 External interface) is it possible ?

(192.168.3.0) Site1---ASA1----VPN---ASA2---Site 2 (10.22.22.0)

praprama · ‎12-06-2010

Hi Jayesh,

(192.168.3.0) Site1---ASA1----VPN---ASA2---Site 2 (10.22.22.0)

Now i can see 2 ways of implementing it:

1) URL filtering config on ASA1: With this configured and also the ASA2 configured to send all internet traffic also to ASA1, when the ASA1 sees the initial GET request for a site, it will forward the request to both the URL-filler server and the web server. Now, when the web server replies back to this request, the ASA1 will decide to drop it or forward it based on the response from the websense server.

2) URL filtering config on ASA2: Again with this configured and also the the ASA2 configured to send all internet traffic also to ASA1, when the ASA2 sees the initial GET request, it will send traffic to the url-filtering server on the ASA1 DMZ in addition to the web-server. Please note that this request packet to the websense server, will have a source IP of the ASA2's outside interface and destination IP of the URL filter server. so we need to ensure the following 2 things:

++ the crypto ACL on ASA2 includes an entry from ASA2's outside interface IP to the DMZ IP of the websense server and vice versa on ASA1.

++ a nat exemption configured on the ASA1 DMZ (acl pointing from the DMZ IP of websense server to the outside IP of the ASA2).

The working in this case is going to be similar. When ASA2 sees the web server'sw reply to the initial GET request, it will decide to drop ot or forward it over to the client based on the response from the websense.

Please let me know if this clarifies things out.

Cheers,

Prapanch

View solution in original post

Federico Coto Fajardo · ‎11-21-2010

Hi,

I don't see why it cannot be done if you send the traffic through the tunnel to reach the ASA in site 1.

The traffic can be filtered and then backout to the Internet.

Federico.

jvardhan29 · ‎11-21-2010

hi

i would appreciate if someone can provide me a sample config as i need to put it in production soon. also i want to know if the same can be configured for Remote access and lan to lan tunnel as well.

jvardhan29 · ‎12-01-2010

Folks,

let me know if this is possible or not , seems to be possible but not able to build any logic.

Federico Coto Fajardo · ‎12-01-2010

I don't have a sample configuration but... if you configure the URL filtering on ASA-2:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_filter.html#wp1042342

The PCs will need to contact the websense (on DMZ on ASA-1) through the VPN tunnel.

The websense will make its decision and based on that traffic will or will not be allowed out.

I would like to know if you have a specific question.

Federico.

jvardhan29 · ‎12-03-2010

Federico

basically ASA2 users should use the internet of ASA1 but before that url filtering needs to be implemented.

1) considering that url-filter related commands will be on ASA1

When the users at asa2 10.22.22.0 will hit the ASA1 for a URL , will it be intercepted by ASA1 to be sent to internet and URL server simultaneosuly ?If yes , how ?as the actual traffic is coming from outside and going to dmz , i believe we would certainly require crypto acl for the same but when the url server initiate traffic on behalf of user (10.22.22.0) is it possible that traffic go like this [ coming from outside - going to dmz- returning back to outside for a request to website ]

2) considering url-filter commands will be on ASA2

Is there any possibility we can make it work with configuring url filtering on asa2 also and then U turning the traffic out with ASA1 Outside interface for internet.if possible explain the packet flow.

Federico Coto Fajardo · ‎12-03-2010

Considering this scenario:

(192.168.3.0) Site1---ASA1----VPN---ASA2---Site 2 (10.22.22.0)

If you configure url-filtering on ASA2 for 10.22.22.0, then ASA2 will intercept HTTP traffic and send it over the URL server on ASA1 DMZ.

If the server does not have a public IP, you can create an IPsec tunnel between both ASAs.

ASA1 can u-turn the traffic backout to the internet (after being checked by the URL server).

Federico.

praprama · ‎12-06-2010

Hi Jayesh,

(192.168.3.0) Site1---ASA1----VPN---ASA2---Site 2 (10.22.22.0)

Now i can see 2 ways of implementing it:

1) URL filtering config on ASA1: With this configured and also the ASA2 configured to send all internet traffic also to ASA1, when the ASA1 sees the initial GET request for a site, it will forward the request to both the URL-filler server and the web server. Now, when the web server replies back to this request, the ASA1 will decide to drop it or forward it based on the response from the websense server.

2) URL filtering config on ASA2: Again with this configured and also the the ASA2 configured to send all internet traffic also to ASA1, when the ASA2 sees the initial GET request, it will send traffic to the url-filtering server on the ASA1 DMZ in addition to the web-server. Please note that this request packet to the websense server, will have a source IP of the ASA2's outside interface and destination IP of the URL filter server. so we need to ensure the following 2 things:

++ the crypto ACL on ASA2 includes an entry from ASA2's outside interface IP to the DMZ IP of the websense server and vice versa on ASA1.

++ a nat exemption configured on the ASA1 DMZ (acl pointing from the DMZ IP of websense server to the outside IP of the ASA2).

The working in this case is going to be similar. When ASA2 sees the web server'sw reply to the initial GET request, it will decide to drop ot or forward it over to the client based on the response from the websense.

Please let me know if this clarifies things out.

Cheers,

Prapanch

jvardhan29 · ‎12-13-2010

prapanch,

thanks for helping on this ! my one more ques.is what will be the command of websense urlfiltering in scenario 2

In ASA 2

url-server (outside) vendor websense host < IP Address>

Also in the scenario 1 since the packet is coming from the outside (I.E from ASA2) , asa1 (on which url-filtering is configured) will intercept it and send one request to the websense and one to the actual webserver . since the actual server is also outside of ASA and original packet is also coming from outside will there be any issues you can foresee that may occur?

praprama · ‎12-13-2010

Hi Jayesh,

The command looks ok to me.

Regarding the 2nd query on scenario 1, you need to have U-turning configured on ASA1 to allow internet acess for those users behind ASA2. The commands would be as below:

nat (outside) 1 10.22.22.0 255.255.255.0

global (outside) 1 interface (this might already be in place in your config)
same-security-traffic permit intra-interface

Hope that helps!!

Cheers,

Prapanch