cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1229
Views
4
Helpful
11
Replies

ASA 5510 Remote Site Internet Access

gates1150
Level 1
Level 1

I'm setting up a new ASA 5510 and have 5 remote sites that connect back with site-to-site tunnels. We want to force their internet access through our websense server. I know I can do split tunneling but this won't force it to go through websense. Is there any way to allow the VPN traffic that comes in to go back out the connection for internet access of the centralized ASA?

11 Replies 11

acomiskey
Level 10
Level 10

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

Thanks that is exactly what I was looking for.

1cmerchant
Level 1
Level 1

If you are using ASA 5505's or similar at the remote locations you can use the 'url-server' and 'filter' commands to have your centralized Websense server approve http connections. If you have Internet traffic going out locally through the remote ASA's you can still require that the Websense server approve connectivity.

Check the ASA v7.2 command reference guide to see more about the 'url-server' and 'filter' commands.

Good point that seems like a more efficient design. Do you know if a PIX 501 can do this?

Yes, I've implemented it with a Pix 501 as the remote devices and a Pix 515e as the head-end device. Should be no problem using a Pix 501 to connect to an ASA 5510 as long as your IPSEC config, etc is all correct.

The caveat is that it takes awhile for the http request/response from the Websense server to traverse the IPSEC tunnel and return. When I encountered performance problems I started using the timeout and caching parameters of the url-server command to improve performance.

Were you running 6.x code?

You have no other option on a 501, they don't support v. 7.

Did you use DMVPN or regular site-to-site tunnels?

Site to site tunnels, about 50+ total coming into a Pix 515e running v7.x code.

That's exactly what I'm setting up not as many sites though. Thanks for the help.

Are you using Easy VPN?

Review Cisco Networking for a $25 gift card