I have a websense server on the inside network (LAN) of ASA set up for filtering LAN network and DMZ network. URLF policy is set to filter any to any for http. Filtering works when accessing internet from clients in LAN, but not when accessing internet from DMZ. Is there a problem since the websense server is in higher security zone than the DMZ network? The debug logs don't show anything regarding URL filtering when accessing internet from DMZ.
When you say WebSense Filter is not working, are you not getting the deny page or are you able to access non-approved sites? Do you have a translation for the URL Filter server on the DMZ interface?
thanks for quick response. The websense server is on the inside interface, not the DMZ. The websense server is accessible from the DMZ - there is access rule and nat exception, and clients from DMZ can access all ip services on the websense server. The issue I see is that debug logs on asa show url filtering happening when accessing internet from LAN, but not from DMZ, and websense doesnt show any trace of DMZ client addresses.
here is a part of the config
url-server (inside) vendor websense host 10.10.0.44 timeout 30 protocol TCP version 1 connections 5
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
access-list knjiznica_access_in extended permit ip 10.22.0.0 255.255.240.0 host 10.10.0.44
access-list inside_access_in extended permit ip host 10.10.0.44 10.22.0.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip host 10.10.0.44 10.22.0.0 255.255.240.0
websense is 10.10.0.44 on inside
knjiznica is DMZ on 10.22.0.0 network
Can you please verify if the firewall is the only way out to internet in your network. Your configuration looks good. As long as the firewall can communicate with the filtering server, it should be able to send the URL requests to the URL server.
yes, it's definitely the only way out. Debug logs when accessing web from inside LAN shows logs like "user accessing URL..", but when accessed from DMZ, I only see tcp connections to port 80.
Do you have a route to internet via inside interface by any chance? Because the URL filtering will not work if the traffic is flowing from lower security to higher security interface. If possible, can you attach the output of "show route" command (you can sanitize the public IP's)?
No way, this is the only path to internet.
As I said, I see the traffic to internet from both DMZ and LAN, but do not see DMZ traffic being filtered.
route outside 0.0.0.0 0.0.0.0 def.gw 1
route inside 10.1.0.0 255.255.0.0 10.235.0.1 1
route inside 10.10.0.0 255.255.0.0 10.235.0.1 1
route inside 10.20.0.0 255.255.240.0 10.235.0.1 1
route inside 10.21.0.0 255.255.240.0 10.235.0.1 1
route inside 10.25.0.0 255.255.240.0 10.10.0.2 1
route inside 10.32.0.0 255.255.240.0 10.235.0.1 1
route ISDN 172.19.118.0 255.255.255.0 172.19.117.1 1
What code version you are running? Can you try one quick thing to see if we could identify the root cause? Change the security level of the DMZ interface to 100 and issue "same-security-traffic permit inter-interface". Let us see if that fixes the issue.
it's ASA Version 8.0(3). Unfortunately, I am not able to do this at any time. What I can confirm is, if I add another url filtering server to the config with "random" address on DMZ network, logs show it as "unavailable" which is of course ok, since the URLF server on DMZ does not exist, but it seems like it's trying to filter this traffic if it thinks it has urlf server on dmz.