07-19-2010 09:49 AM - edited 03-11-2019 11:13 AM
Hi,
I have a websense server on the inside network (LAN) of ASA set up for filtering LAN network and DMZ network. URLF policy is set to filter any to any for http. Filtering works when accessing internet from clients in LAN, but not when accessing internet from DMZ. Is there a problem since the websense server is in higher security zone than the DMZ network? The debug logs don't show anything regarding URL filtering when accessing internet from DMZ.
Thanks
07-19-2010 10:15 AM
Hello,
When you say WebSense Filter is not working, are you not getting the deny page or are you able to access non-approved sites? Do you have a translation for the URL Filter server on the DMZ interface?
Regards,
NT
07-19-2010 10:18 AM
j
07-19-2010 10:42 AM
can you please paste the config if its not an issue its easier for us
07-19-2010 12:05 PM
Hi,
thanks for quick response. The websense server is on the inside interface, not the DMZ. The websense server is accessible from the DMZ - there is access rule and nat exception, and clients from DMZ can access all ip services on the websense server. The issue I see is that debug logs on asa show url filtering happening when accessing internet from LAN, but not from DMZ, and websense doesnt show any trace of DMZ client addresses.
here is a part of the config
interface Ethernet0/2
nameif outside
security-level 0
interface Ethernet0/3.22
vlan 22
nameif knjiznica
security-level 50
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/1
nameif inside
security-level 100
url-server (inside) vendor websense host 10.10.0.44 timeout 30 protocol TCP version 1 connections 5
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
access-list knjiznica_access_in extended permit ip 10.22.0.0 255.255.240.0 host 10.10.0.44
access-list inside_access_in extended permit ip host 10.10.0.44 10.22.0.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip host 10.10.0.44 10.22.0.0 255.255.240.0
websense is 10.10.0.44 on inside
knjiznica is DMZ on 10.22.0.0 network
07-19-2010 11:04 PM
hi thx for clarity on this
will it be possible for you to paste your entire config, you can remove public ip's and paste it
07-19-2010 11:21 PM
Hi,
I'd rather avoid sending the whole config. If you believe you know what would be the issue, I can send it in personal message.
Thanks
07-20-2010 05:20 AM
Hello,
Can you please verify if the firewall is the only way out to internet in your network. Your configuration looks good. As long as the firewall can communicate with the filtering server, it should be able to send the URL requests to the URL server.
Regards,
NT
07-20-2010 05:24 AM
Hi,
yes, it's definitely the only way out. Debug logs when accessing web from inside LAN shows logs like "user accessing URL..", but when accessed from DMZ, I only see tcp connections to port 80.
KR
07-20-2010 05:37 AM
Hello,
Do you have a route to internet via inside interface by any chance? Because the URL filtering will not work if the traffic is flowing from lower security to higher security interface. If possible, can you attach the output of "show route" command (you can sanitize the public IP's)?
Regards,
NT
07-20-2010 05:42 AM
No way, this is the only path to internet.
As I said, I see the traffic to internet from both DMZ and LAN, but do not see DMZ traffic being filtered.
route outside 0.0.0.0 0.0.0.0 def.gw 1
route inside 10.1.0.0 255.255.0.0 10.235.0.1 1
route inside 10.10.0.0 255.255.0.0 10.235.0.1 1
route inside 10.20.0.0 255.255.240.0 10.235.0.1 1
route inside 10.21.0.0 255.255.240.0 10.235.0.1 1
route inside 10.25.0.0 255.255.240.0 10.10.0.2 1
route inside 10.32.0.0 255.255.240.0 10.235.0.1 1
route ISDN 172.19.118.0 255.255.255.0 172.19.117.1 1
07-20-2010 09:13 AM
Hello,
What code version you are running? Can you try one quick thing to see if we could identify the root cause? Change the security level of the DMZ interface to 100 and issue "same-security-traffic permit inter-interface". Let us see if that fixes the issue.
Regards,
NT
07-21-2010 02:58 AM
Hi,
it's ASA Version 8.0(3). Unfortunately, I am not able to do this at any time. What I can confirm is, if I add another url filtering server to the config with "random" address on DMZ network, logs show it as "unavailable" which is of course ok, since the URLF server on DMZ does not exist, but it seems like it's trying to filter this traffic if it thinks it has urlf server on dmz.
BR
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide