topic Re: Integrating Websense with Cisco ASA in Network Security

Integrating Websense with Cisco ASA

dharmendra2shah — Mon, 11 Mar 2019 16:49:47 GMT

We have a Cisco ASA firewall in our office. This firewall is used to isolate consultants working for us on a project for us in a seperate network. They bring their own laptop and connect it to consultant subnet. These consultants are only allowed to access internet (http/https traffic) or vpn etc. The firewall rules are implemented on outside interface. To access internet they have to go through our Inside interface & eventually through our Enterprise firewall (seperate from this).

The outside interface (security 0) of Cisco ASA is connected to consultants subnet & inside interface (security 100) is connected to out Production netowrk.

We are trying to implement WebSense integration with Cisco ASA 5510. I have followed instructions from Cisco configuration guide to configure filter rules & specifing url server. But it is not working.

After troubleshooting the problems I found out that HTTP request that originate from a high security level interface destined for a lower security level will trigger the URL filtering. But a HTTP request that originates on a lower security level interface destined for a higher security level interface will skip the URL filtering.

I suspect that the issue lies somewhere with interface security levels and URL filtering. Security levels of the ASA interface are as follows:

Inside interface security level: 100

Outside interface security level 0

So before I go messing with security levels, I wanted to get a 2nd opinion on this issue.

Re: Integrating Websense with Cisco ASA

PAUL GILBERT ARIAS — Thu, 17 Dec 2009 22:36:09 GMT

Can you tell what are the commands that you have applied on the ASA related to the URL filtering?

Please attach the show run url-server and the show run filter.

I believe that you are missing the filter command on the lower security interface.

Re: Integrating Websense with Cisco ASA

Parminder Sian — Fri, 18 Dec 2009 06:22:21 GMT

Hi,

For Websence, only traffic flow from higher to lower security is filtered.

Workaround : Configure another router on a DMZ interface of the ASA and loop the
remote traffic back to the dmz interface of the ASA. This flow now would appear to come
from higher to lower security (dmz --->outside) and then to the internet. Websense can
hence filter this traffic.

Hope this helps.

Regards,

Sian

Re: Integrating Websense with Cisco ASA

dharmendra2shah — Tue, 22 Dec 2009 17:07:15 GMT

Parminder,

So you also agree that traffic from Higher to lower security is filtered but not the other way round. I did not find any references where Cisco have mentioned about that fact. Do you think I should open a TAC case with Cisco or should I just go with the work around suggested by you. Or is it from Cisco. Let me know....

Also let me know what implications I will have if I change the security number of Outside to 100 & inside to 0.As the traffic is still controlled by access-list applied on inside interface & outside interface.

Thanks, Ds