09-03-2013 07:45 AM - edited 03-11-2019 07:33 PM
I have a Cisco ASA firewall that is setup with an inside interface and a DMZ interface. I also have a Websense content filter that is currently filtering traffic succesfully on the inside interface.
I setup a DMZ port for our guest wireless network and traffic is flowing just fine over this interface and out to the internet. I want to be able to filter this traffic just like I filter the internal traffic.
I configured the ASA for the WCCP redirect for the DMZ interface and when I do then no traffic is allowed out to the internet and I am not getting any response from the Websense.
Here is the config before any changes to the WCCP config from the ASA:
wccp 0 redirect-list WCCP group-list PROXY-WS
wccp 70 redirect-list WCCP group-list PROXY-WS
wccp interface inside 0 redirect in
wccp interface inside 70 redirect in
I added the following lines to the ASA and after I did this traffic over the DMZ port stopped. Internal traffic continued to work fine and is filtered.
wccp interface DMZ 0 redirect in
wccp interface DMZ 70 redirect in
Here is the PROXY-WS command
access-list PROXY-WS extended permit ip host 128.1.0.98 any
Any help is greatly appreciated.
Seth
09-10-2013 06:33 AM
How did you get wccp redirection to websense working fine on inside interface.
We are having issues with this. Apparently, websense and client needs to be on the same interface.
Websense also needs a route (def gw) to internet. Def GW can't be same as the interface doing redirection
For instance is inside is 10.1.1.1, and websense is 10.1.1.1.20, client is 10.120.0.10 (reachable via the inside interface)
Websense's defaut gw can't be 10.1.1.1
Websense needs a route to the client and internet. How did you make it work.
I wish wccp redirection didnt have to be applied to an interface. There should be a global option (like global access-list) or
configured under application inspection.
Let me know, Thanks
10-15-2013 12:59 PM
Did you resolve this?
10-15-2013 03:34 PM
Yes. I had to put the guest network on the same interface on the ASA as the inside network. The Websense does not support the setup i was trying to use it as.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: