cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1415
Views
5
Helpful
2
Replies

Allow mode on for ASA?

pugs17211721
Level 1
Level 1

We are setting up a websense url-filter for our location. We have the following set up for our routers that are doing auth-proxy and we have no issues with this.

    ip inspect name websenseinternet http urlfilter
    ip urlfilter urlf-server-log
    ip urlfilter server vendor websense 172.20.63.75
    ip urlfilter allow-mode on

These commands suit my company's needs no problem. We had to put the allow-mode on becasue the server locked up one day and the routers were denying all internet traffic.

My question, is there any allow-mode on commands for pix/asa devices? Any help will be greatly appreciated.

2 Accepted Solutions

Accepted Solutions

mirober2
Cisco Employee
Cisco Employee

Hello,

The equivalent functionality on the ASA is to use the 'allow' keyword when you setup the 'filter url' command that passes traffic to the filtering server. Here is the command reference for it:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1933061

allow

When the server is unavailable, let outbound connections pass through the security appliance without filtering. If you omit this option, and if the N2H2 or Websense server goes off line, the security appliance stops outbound port 80 (Web) traffic until the N2H2 or Websense server is back on line.

Hope that helps.

-Mike

View solution in original post

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Yes, even pix/ASA have allow mode. At the end of "filter" statement you need

to add "allow" keyword which will ensure that the firewall will forward

traffic when the filtering server is unavailable.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration

_example09186a008088517b.shtml

Hope this helps.

Regards,

NT

View solution in original post

2 Replies 2

mirober2
Cisco Employee
Cisco Employee

Hello,

The equivalent functionality on the ASA is to use the 'allow' keyword when you setup the 'filter url' command that passes traffic to the filtering server. Here is the command reference for it:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1933061

allow

When the server is unavailable, let outbound connections pass through the security appliance without filtering. If you omit this option, and if the N2H2 or Websense server goes off line, the security appliance stops outbound port 80 (Web) traffic until the N2H2 or Websense server is back on line.

Hope that helps.

-Mike

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Yes, even pix/ASA have allow mode. At the end of "filter" statement you need

to add "allow" keyword which will ensure that the firewall will forward

traffic when the filtering server is unavailable.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration

_example09186a008088517b.shtml

Hope this helps.

Regards,

NT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: