12-18-2006 04:37 AM - edited 03-11-2019 02:10 AM
Hi,
Please somebody can help me how to integrate ASA5510 with websense ...
Regards,
12-18-2006 01:27 PM
12-18-2006 01:28 PM
12-18-2006 01:28 PM
12-20-2006 09:34 PM
I assuming you will deploy websense in your inside network ,do not put it in the DMZ.Followed is code for URL filterting:
1. ASA
url-server (Inside) vendor websense host 192.168.3.4 timeout 30 protocol TCP version 4 connections 5
url-cache src_dst 128
url-block block 128
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow #optional,if you want to filter ftp#
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow proxy-block
policy-map global_policy
class inspection_default
inspect http #http inspect enabled#
!
service-policy global_policy global
2. websense : see attched screen shot
select " Integrate" mode ,not "standalone"
select "Cisco ASA appliance"
ASA only filter URL ,if you want to filter protocol, you should configure websense filter agent accordingly.
if the post help, please rate ,thanks
12-20-2006 10:31 PM
Hello!
I am currently working on a ASA5520 with CSC SSM on it. Im trying to test URL blocking, but Im not sucessful. Is it absolutely necessary to have Websense or N2H2 to successfully filter or block URLs? I want to know if ASA CSC SSM can to the URL blocking by itself. Thank you!
Lorenz
12-21-2006 08:28 AM
You can use CSC SSM to do url filtering, not necessary to configure Websense and N2H2 on the ASA. The difference are.
1. I belive (guess:)) CSC SSM will send your URL check request to the server host on the Internet by Trend
2. WebSense and N2H2 solutions will have your ASA redirect URL request to server in your LAN,because signature database larger than 200M for websense v6.2.
if the post help,please rate.
Peng
12-21-2006 09:42 AM
Hello Lorenz,
It is not enough to enable the URL blocking and filtering through the CSC module interface. YOu have to configure the ASA to pass HTTP traffic through the CSC module otherwise traffic won't be filtered by the CSC even if you do the web configuration.
Below you can find a sample config to pass traffic to the CSC. The below will pass FTP, POP3, HTTP and SMTP. These are the only supported protocols by CSC.
access-list csc_inside_outbound permit tcp "Inside_subnet" any eq 21
access-list csc_inside_outbound permit tcp "Inside_subnet" any eq 80
access-list csc_inside_outbound permit tcp "Inside_subnet" any eq 110
access-list csc_inside_outbound permit tcp "Inside_subnet" any eq 25
class-map csc_inside_outbound_class
match access-list csc_inside_outbound
policy-map csc_inside_out_policy
class csc_inside_outbound_class
csc fail-open
service-policy csc_inside_out_policy interface inside
Appreicate your rating if I could help,
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide