cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


640
Views
0
Helpful
12
Replies
Beginner

url filtering issue?

Hi,

I have a websense server on the inside network (LAN) of ASA set up for filtering LAN network and DMZ network. URLF policy is set to filter any to any for http. Filtering works when accessing internet from clients in LAN, but not when accessing internet from DMZ. Is there a problem since the websense server is in higher security zone than the DMZ network? The debug logs don't show anything regarding URL filtering when accessing internet from DMZ.

Thanks

12 REPLIES 12
Cisco Employee

Re: url filtering issue?

Hello,

When you say WebSense Filter is not working, are you not getting the deny page or are you able to access non-approved sites? Do you have a translation for the URL Filter server on the DMZ interface?

Regards,

NT

Highlighted
Cisco Employee

Re: url filtering issue?

j

Cisco Employee

Re: url filtering issue?

can you please paste the config if its not an issue its easier for us

Beginner

Re: url filtering issue?

Hi,

thanks for quick response. The websense server is on the inside interface, not the DMZ. The websense server is accessible from the DMZ - there is access rule and nat exception, and clients from DMZ can access all ip services on the websense server. The issue I see is that debug logs on asa show url filtering happening when accessing internet from LAN, but not from DMZ, and websense doesnt show any trace of DMZ client addresses.

here is a part of the config

interface Ethernet0/2
nameif outside
security-level 0

interface Ethernet0/3.22
vlan 22
nameif knjiznica
security-level 50

interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/1
nameif inside
security-level 100

url-server (inside) vendor websense host 10.10.0.44 timeout 30 protocol TCP version 1 connections 5

filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

access-list knjiznica_access_in extended permit ip 10.22.0.0 255.255.240.0 host 10.10.0.44

access-list inside_access_in extended permit ip host 10.10.0.44 10.22.0.0 255.255.240.0

access-list inside_nat0_outbound extended permit ip host 10.10.0.44 10.22.0.0 255.255.240.0


websense is 10.10.0.44 on inside

knjiznica is DMZ on 10.22.0.0 network

Cisco Employee

Re: url filtering issue?

hi thx for clarity on this

will it be possible for you to paste your entire config, you can remove public ip's and paste it

Beginner

Re: url filtering issue?

Hi,

I'd rather avoid sending the whole config. If you believe you know what would be the issue, I can send it in personal message.

Thanks

Cisco Employee

Re: url filtering issue?

Hello,

Can you please verify if the firewall is the only way out to internet in your network. Your configuration looks good. As long as the firewall can communicate with the filtering server, it should be able to send the URL requests to the URL server.

Regards,

NT

Beginner

Re: url filtering issue?

Hi,

yes, it's definitely the only way out. Debug logs when accessing web from inside LAN shows logs like "user accessing URL..", but when accessed from DMZ, I only see tcp connections to port 80.

KR

Cisco Employee

Re: url filtering issue?

Hello,

Do you have a route to internet via inside interface by any chance? Because the URL filtering will not work if the traffic is flowing from lower security to higher security interface. If possible, can you attach the output of "show route" command (you can sanitize the public IP's)?

Regards,

NT

Beginner

Re: url filtering issue?

No way, this is the only path to internet.

As I said, I see the traffic to internet from both DMZ and LAN, but do not see DMZ traffic being filtered.

route outside 0.0.0.0 0.0.0.0 def.gw 1

route inside 10.1.0.0 255.255.0.0 10.235.0.1 1

route inside 10.10.0.0 255.255.0.0 10.235.0.1 1

route inside 10.20.0.0 255.255.240.0 10.235.0.1 1

route inside 10.21.0.0 255.255.240.0 10.235.0.1 1

route inside 10.25.0.0 255.255.240.0 10.10.0.2 1

route inside 10.32.0.0 255.255.240.0 10.235.0.1 1

route ISDN 172.19.118.0 255.255.255.0 172.19.117.1 1

Cisco Employee

Re: url filtering issue?

Hello,

What code version you are running? Can you try one quick thing to see if we could identify the root cause? Change the security level of the DMZ interface to 100 and issue "same-security-traffic permit inter-interface". Let us see if that fixes the issue.

Regards,

NT

Beginner

Re: url filtering issue?

Hi,

it's ASA Version 8.0(3). Unfortunately, I am not able to do this at any time. What I can confirm is, if I add another url filtering server to the config with "random" address on DMZ network, logs show it as "unavailable" which is of course ok, since the URLF server on DMZ does not exist, but it seems like it's trying to filter this traffic if it thinks it has urlf server on dmz.

BR