ASA Port mirrored with Websense filter : Need Clarification
I have a doubt " How Websense filters INSIDE Host webtraffic only by mirroring the traffic coming to INSIDEinterface of Firewall ?"
I Will explain the Scenario i saw
From all the INSIDE PCs Internet traffic is going through firewall and NATing is happening in firewall.
In Websense filtersystem two Interfaces are there. One is connected to LAN (INSIDE network) and another is Mirrored (SPAN) port of the Firewall INSIDE interface(Which captures all the traffic is going from all the inside PCs to Firewall).
Now if we browse one of the blocked website We will get the "Blocked" message page of Websense
My Doubt is : How Websense can interfere in the Communication between host and Firewall (Because it is only capturing traffic to Firewall)
I did a packet capture for the blocked traffic.I noticed PC is able to resolve IP of the website and In 3 WAY HAND SHAKE between PC and Website -Whatever the packet is sending by the PC have some header Checksom Error.(I am not sure whether Websense is making this error ) After 3 WAY HANDSHAKE , PC is sending GET / HTTP/1.1 to Webserver and Webserver is replying with HTTP/1.0 302 Moved and location is the block page of Websense (http://<Websense ip>/blockpage )
So how websense is Interfering in this Communication only with one port mirroring and one LAN port. (Or any other config needs to be done in network to work like this)
And still i am able to ping to the blocked website
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...