can you please paste the config if its not an issue its easier for us

Hi,

thanks for quick response. The websense server is on the inside interface, not the DMZ. The websense server is accessible from the DMZ - there is access rule and nat exception, and clients from DMZ can access all ip services on the websense server. The issue I see is that debug logs on asa show url filtering happening when accessing internet from LAN, but not from DMZ, and websense doesnt show any trace of DMZ client addresses.

here is a part of the config

interface Ethernet0/2
nameif outside
security-level 0

interface Ethernet0/3.22
vlan 22
nameif knjiznica
security-level 50

interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/1
nameif inside
security-level 100

url-server (inside) vendor websense host 10.10.0.44 timeout 30 protocol TCP version 1 connections 5

filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

access-list knjiznica_access_in extended permit ip 10.22.0.0 255.255.240.0 host 10.10.0.44

access-list inside_access_in extended permit ip host 10.10.0.44 10.22.0.0 255.255.240.0

access-list inside_nat0_outbound extended permit ip host 10.10.0.44 10.22.0.0 255.255.240.0

websense is 10.10.0.44 on inside

knjiznica is DMZ on 10.22.0.0 network

hi thx for clarity on this

will it be possible for you to paste your entire config, you can remove public ip's and paste it

Hi,

I'd rather avoid sending the whole config. If you believe you know what would be the issue, I can send it in personal message.

Thanks

Hello,

Can you please verify if the firewall is the only way out to internet in your network. Your configuration looks good. As long as the firewall can communicate with the filtering server, it should be able to send the URL requests to the URL server.

Regards,

NT

Hi,

yes, it's definitely the only way out. Debug logs when accessing web from inside LAN shows logs like "user accessing URL..", but when accessed from DMZ, I only see tcp connections to port 80.

KR

Hello,

Do you have a route to internet via inside interface by any chance? Because the URL filtering will not work if the traffic is flowing from lower security to higher security interface. If possible, can you attach the output of "show route" command (you can sanitize the public IP's)?

Regards,

NT

No way, this is the only path to internet.

As I said, I see the traffic to internet from both DMZ and LAN, but do not see DMZ traffic being filtered.

route outside 0.0.0.0 0.0.0.0 def.gw 1

route inside 10.1.0.0 255.255.0.0 10.235.0.1 1

route inside 10.10.0.0 255.255.0.0 10.235.0.1 1

route inside 10.20.0.0 255.255.240.0 10.235.0.1 1

route inside 10.21.0.0 255.255.240.0 10.235.0.1 1

route inside 10.25.0.0 255.255.240.0 10.10.0.2 1

route inside 10.32.0.0 255.255.240.0 10.235.0.1 1

route ISDN 172.19.118.0 255.255.255.0 172.19.117.1 1

Hello,

What code version you are running? Can you try one quick thing to see if we could identify the root cause? Change the security level of the DMZ interface to 100 and issue "same-security-traffic permit inter-interface". Let us see if that fixes the issue.

Regards,

NT

Hi,

it's ASA Version 8.0(3). Unfortunately, I am not able to do this at any time. What I can confirm is, if I add another url filtering server to the config with "random" address on DMZ network, logs show it as "unavailable" which is of course ok, since the URLF server on DMZ does not exist, but it seems like it's trying to filter this traffic if it thinks it has urlf server on dmz.

BR