https://community.cisco.com/t5/network-security/directing-traffic-through-mcafee-smartfilter/m-p/1445864#M766635 <HTML><HEAD></HEAD><BODY><P>Hi Bo,</P><P></P><P>You can configure url filtering on the ASA so that the request are first sent to the filtering server before it can be processed. The ASA supports N2H2 or websense for filtering. This can be configured as follows:</P><P></P><P>I am assuming that the ip address of the filtering server is 10.0.1.1 and it is located on the inside.</P><P></P><P><SPAN class="content"></SPAN></P><P class="pB1_Body1">Using N2H2, the following example filters all outbound HTTP connections except those from the 10.0.2.20 host:</P><A name="wp1409812"></A><DIV class="pEx1_Example1"><PRE>hostname(config)# <STRONG class="cBold">url-server (inside) vendor n2h2 host 10.0.1.1 </STRONG></PRE></DIV><A name="wp1409816"></A><DIV class="pEx1_Example1"><PRE>hostname(config)# <STRONG class="cBold">filter url http 0 0 0 0 </STRONG></PRE></DIV><A name="wp1409820"></A><DIV class="pEx1_Example1"><PRE>hostname(config)# <STRONG class="cBold">filter url except 10.0.2.20 255.255.255.255 0 0 </STRONG></PRE></DIV><DIV class="pPreformatted"><PRE class="pPreformatted"><A name="wp1409822"></A><BR /></PRE></DIV><A name="wp1409823"></A><P class="pB1_Body1">Using Websense, the following example filters all outbound HTTP connections except those from the 10.0.2.20 host:</P><A name="wp1409826"></A><DIV class="pEx1_Example1"><PRE>hostname(config)# <STRONG class="cBold">url-server (inside) vendor websense host 10.0.1.1 protocol TCP version 4 </STRONG></PRE></DIV><A name="wp1409830"></A><DIV class="pEx1_Example1"><PRE>hostname(config)# <STRONG class="cBold">filter url http 0 0 0 0 </STRONG></PRE></DIV><A name="wp1409834"></A><DIV class="pEx1_Example1"><PRE>hostname(config)# <STRONG class="cBold">filter url except 10.0.2.20 255.255.255.255 0 0</STRONG></PRE><PRE></PRE><PRE><STRONG class="cBold">If you want to filter https traffic also, then we would need the following as well</STRONG></PRE><PRE></PRE><PRE><STRONG class="cBold">filter https 0 0 0 0 0</STRONG></PRE><PRE></PRE><PRE><STRONG class="cBold">Also, it would be best to use the "allow" keyword at the end of the filter statements, so that if the filtering server goes down, the internet access is not lost, as follows:</STRONG></PRE><PRE></PRE><PRE><STRONG class="cBold">filter url http 0 0 0 0 allow</STRONG></PRE><PRE></PRE><PRE><STRONG class="cBold">HTH</STRONG></PRE><PRE></PRE><PRE><STRONG class="cBold">Ashu </STRONG></PRE></DIV><P></P></BODY></HTML> Tue, 27 Apr 2010 20:36:12 GMT astripat 2010-04-27T20:36:12Z https://community.cisco.com/t5/network-security/directing-traffic-through-mcafee-smartfilter/m-p/1445863#M766623 <P>Hello All-</P><P>How can I configure my ASA or router to send the web traffic to McAfee smartfilter server before the user can browse the Internet</P><P></P><P></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; ">I can get out to the internet bypassing the proxy.&nbsp; Now the next step is to see how I get smartfilter working</SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; "> </SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; ">This is what I put on my router</SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; "> </SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; "> </SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; ">ip nat inside source list NatAccessList interface Ethernet1 overload</SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; ">!</SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; ">ip access-list extended NatAccessList</SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; "> permit ip 10.0.0.0 0.255.255.255 any</SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; ">!</SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; ">Interface e1</SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; ">Ip nat outside</SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; ">!</SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; ">Interface e0</SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; ">Ip nat inside</SPAN></P><P class="MsoNormal"></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; ">Thanks</SPAN></P><P class="MsoNormal"><SPAN style="font-size: 10pt; font-family: Arial; ">Bo</SPAN></P> Mon, 11 Mar 2019 17:37:57 GMT https://community.cisco.com/t5/network-security/directing-traffic-through-mcafee-smartfilter/m-p/1445863#M766623 bghobadi2 2019-03-11T17:37:57Z https://community.cisco.com/t5/network-security/directing-traffic-through-mcafee-smartfilter/m-p/1445864#M766635 <HTML><HEAD></HEAD><BODY><P>Hi Bo,</P><P></P><P>You can configure url filtering on the ASA so that the request are first sent to the filtering server before it can be processed. The ASA supports N2H2 or websense for filtering. This can be configured as follows:</P><P></P><P>I am assuming that the ip address of the filtering server is 10.0.1.1 and it is located on the inside.</P><P></P><P><SPAN class="content"></SPAN></P><P class="pB1_Body1">Using N2H2, the following example filters all outbound HTTP connections except those from the 10.0.2.20 host:</P><A name="wp1409812"></A><DIV class="pEx1_Example1"><PRE>hostname(config)# <STRONG class="cBold">url-server (inside) vendor n2h2 host 10.0.1.1 </STRONG></PRE></DIV><A name="wp1409816"></A><DIV class="pEx1_Example1"><PRE>hostname(config)# <STRONG class="cBold">filter url http 0 0 0 0 </STRONG></PRE></DIV><A name="wp1409820"></A><DIV class="pEx1_Example1"><PRE>hostname(config)# <STRONG class="cBold">filter url except 10.0.2.20 255.255.255.255 0 0 </STRONG></PRE></DIV><DIV class="pPreformatted"><PRE class="pPreformatted"><A name="wp1409822"></A><BR /></PRE></DIV><A name="wp1409823"></A><P class="pB1_Body1">Using Websense, the following example filters all outbound HTTP connections except those from the 10.0.2.20 host:</P><A name="wp1409826"></A><DIV class="pEx1_Example1"><PRE>hostname(config)# <STRONG class="cBold">url-server (inside) vendor websense host 10.0.1.1 protocol TCP version 4 </STRONG></PRE></DIV><A name="wp1409830"></A><DIV class="pEx1_Example1"><PRE>hostname(config)# <STRONG class="cBold">filter url http 0 0 0 0 </STRONG></PRE></DIV><A name="wp1409834"></A><DIV class="pEx1_Example1"><PRE>hostname(config)# <STRONG class="cBold">filter url except 10.0.2.20 255.255.255.255 0 0</STRONG></PRE><PRE></PRE><PRE><STRONG class="cBold">If you want to filter https traffic also, then we would need the following as well</STRONG></PRE><PRE></PRE><PRE><STRONG class="cBold">filter https 0 0 0 0 0</STRONG></PRE><PRE></PRE><PRE><STRONG class="cBold">Also, it would be best to use the "allow" keyword at the end of the filter statements, so that if the filtering server goes down, the internet access is not lost, as follows:</STRONG></PRE><PRE></PRE><PRE><STRONG class="cBold">filter url http 0 0 0 0 allow</STRONG></PRE><PRE></PRE><PRE><STRONG class="cBold">HTH</STRONG></PRE><PRE></PRE><PRE><STRONG class="cBold">Ashu </STRONG></PRE></DIV><P></P></BODY></HTML> Tue, 27 Apr 2010 20:36:12 GMT https://community.cisco.com/t5/network-security/directing-traffic-through-mcafee-smartfilter/m-p/1445864#M766635 astripat 2010-04-27T20:36:12Z https://community.cisco.com/t5/network-security/directing-traffic-through-mcafee-smartfilter/m-p/1445865#M766645 <HTML><HEAD></HEAD><BODY><P>Hi Ashu,</P><P>I will get it try.</P><P></P><P>Thanks a lot.</P><P></P><P>Bo</P></BODY></HTML> Wed, 28 Apr 2010 12:55:22 GMT https://community.cisco.com/t5/network-security/directing-traffic-through-mcafee-smartfilter/m-p/1445865#M766645 bghobadi2 2010-04-28T12:55:22Z