topic Re: Allow mode on for ASA? in Network Security

Allow mode on for ASA?

pugs17211721 — Mon, 11 Mar 2019 18:22:02 GMT

We are setting up a websense url-filter for our location. We have the following set up for our routers that are doing auth-proxy and we have no issues with this.

    ip inspect name websenseinternet http urlfilter
    ip urlfilter urlf-server-log
    ip urlfilter server vendor websense 172.20.63.75
    ip urlfilter allow-mode on

These commands suit my company's needs no problem. We had to put the allow-mode on becasue the server locked up one day and the routers were denying all internet traffic.

My question, is there any allow-mode on commands for pix/asa devices? Any help will be greatly appreciated.

Re: Allow mode on for ASA?

mirober2 — Fri, 06 Aug 2010 13:54:16 GMT

Hello,

The equivalent functionality on the ASA is to use the 'allow' keyword when you setup the 'filter url' command that passes traffic to the filtering server. Here is the command reference for it:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1933061



allow



When the server is unavailable, let outbound connections pass through 
the security appliance without filtering. If you omit this option, and 
if the N2H2 or Websense server goes off line, the security appliance 
stops outbound port 80 (Web) traffic until the N2H2 or Websense server 
is back on line.

Hope that helps.

-Mike

Re: Allow mode on for ASA?

Nagaraja Thanthry — Fri, 06 Aug 2010 13:55:11 GMT

Hello,

Yes, even pix/ASA have allow mode. At the end of "filter" statement you need

to add "allow" keyword which will ensure that the firewall will forward

traffic when the filtering server is unavailable.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration

_example09186a008088517b.shtml

Hope this helps.

Regards,