Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1228
Views
4
Helpful
11
Replies

ASA 5510 Remote Site Internet Access

gates1150
Level 1
Level 1

‎10-09-2007 05:55 AM - edited ‎03-11-2019 04:23 AM

I'm setting up a new ASA 5510 and have 5 remote sites that connect back with site-to-site tunnels. We want to force their internet access through our websense server. I know I can do split tunneling but this won't force it to go through websense. Is there any way to allow the VPN traffic that comes in to go back out the connection for internet access of the centralized ASA?

Labels:
0 Helpful
11 Replies 11

acomiskey
Level 10
Level 10

‎10-09-2007 06:08 AM

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

0 Helpful

gates1150
Level 1
Level 1
In response to acomiskey

‎10-09-2007 06:37 AM

Thanks that is exactly what I was looking for.

0 Helpful

1cmerchant
Level 1
Level 1

‎10-09-2007 06:29 AM

If you are using ASA 5505's or similar at the remote locations you can use the 'url-server' and 'filter' commands to have your centralized Websense server approve http connections. If you have Internet traffic going out locally through the remote ASA's you can still require that the Websense server approve connectivity.

Check the ASA v7.2 command reference guide to see more about the 'url-server' and 'filter' commands.

0 Helpful

gates1150
Level 1
Level 1
In response to 1cmerchant

‎10-09-2007 06:36 AM

Good point that seems like a more efficient design. Do you know if a PIX 501 can do this?

0 Helpful

1cmerchant
Level 1
Level 1
In response to gates1150

‎10-09-2007 06:50 AM

Yes, I've implemented it with a Pix 501 as the remote devices and a Pix 515e as the head-end device. Should be no problem using a Pix 501 to connect to an ASA 5510 as long as your IPSEC config, etc is all correct.

The caveat is that it takes awhile for the http request/response from the Websense server to traverse the IPSEC tunnel and return. When I encountered performance problems I started using the timeout and caching parameters of the url-server command to improve performance.

0 Helpful

jobegates
Level 1
Level 1
In response to 1cmerchant

‎10-09-2007 07:41 AM

Were you running 6.x code?

0 Helpful

acomiskey
Level 10
Level 10
In response to jobegates

‎10-09-2007 07:47 AM

You have no other option on a 501, they don't support v. 7.

0 Helpful

jobegates
Level 1
Level 1
In response to 1cmerchant

‎10-09-2007 08:52 AM

Did you use DMVPN or regular site-to-site tunnels?

0 Helpful

1cmerchant
Level 1
Level 1
In response to jobegates

‎10-10-2007 06:41 AM

Site to site tunnels, about 50+ total coming into a Pix 515e running v7.x code.

0 Helpful

jobegates
Level 1
Level 1
In response to 1cmerchant

‎10-10-2007 06:43 AM

That's exactly what I'm setting up not as many sites though. Thanks for the help.

gates1150
Level 1
Level 1
In response to 1cmerchant

‎11-13-2007 06:53 AM

Are you using Easy VPN?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card