Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Port mirrored with Websense filter : Need Clarification

Hello ,

      I have a doubt  " How Websense filters INSIDE Host webtraffic only by mirroring the traffic coming to INSIDEinterface of Firewall ?"

I Will explain the Scenario i saw

From all the INSIDE PCs Internet traffic is going through firewall and NATing is happening in firewall.

In Websense filtersystem two Interfaces are there. One is connected to LAN (INSIDE network) and another is Mirrored (SPAN) port of the Firewall INSIDE interface(Which captures all the traffic is going from all the inside PCs to Firewall).

Now if we browse one of the blocked website We will get the "Blocked" message page of Websense

My Doubt is : How Websense can interfere in the Communication between host and Firewall (Because it is only capturing traffic to Firewall)

I did a packet capture for the blocked traffic.I noticed PC is able to resolve IP of the website and In 3 WAY HAND SHAKE between PC and Website -Whatever the packet is sending by the PC have some header Checksom Error.(I am not sure whether Websense is making this error )
After 3 WAY HANDSHAKE , PC is sending GET / HTTP/1.1 to Webserver and Webserver is replying with HTTP/1.0 302 Moved  and location is the block page of Websense (http://<Websense ip>/blockpage )

So how websense is Interfering in this Communication only with one port mirroring and one LAN port. (Or any other config needs to be done in network to work like this)

And still i am able to ping to the blocked website


Can anyone help me to uderstand this?

  • Web Security
272
Views
0
Helpful
0
Replies