11-19-2008 06:17 PM - edited 03-11-2019 07:15 AM
My Pix is not forwarding to my Websense server, for URL filtering
I worked with a tech from Websense, that assured me that the websense server is configured correctly.
However I'm going to include some notes on it as well.
The Websense server has two nics.
NIC 1: Static private address: no gateway
(Everyone on private network can ping this address)
NIC 2: Static registered IP address on the same network as my router and pix, pointing to my router as the gateway.
This is also my FTP Server, which I have no problem hitting from the outside.
Below is part 1 of my pix config, any help resolving why my pix is not filtering with my websense server would be greatly appreciated.
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ww1l5Q92YaRRQxfM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname ami
domain-name ami-lewiston.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.0.0 Ligonier
name 10.4.0.0 NTC2
name 66.146.133.70 CMS-Support
name 10.3.0.0 CassCity
name 192.168.1.251 FTPServer
object-group service CMS-Support tcp-udp
port-object range 397 397
object-group service jGo tcp
port-object eq 449
port-object eq telnet
port-object range 8870 8876
port-object eq 446
port-object eq www
Solved! Go to Solution.
11-19-2008 08:43 PM
Hi,
Where is the websense server located? Based on your IP Address, it looks like the server is located on the outside. So, the below statement needs to be corrected.
Old Config:
url-server (inside) vendor websense host 12.2.81.169 timeout 5 protocol TCP version 4
New Config:
url-server (outside) vendor websense host 12.2.81.169 timeout 5 protocol TCP version 4
Regards,
Arul
*Pls rate if it helps*
11-19-2008 06:19 PM
Part 2 of config:
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 Ligonier 255.255.0.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 NTC2 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.1.224 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 CassCity 255.255.0.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 Ligonier 255.255.0.0
access-list outside_cryptomap_40 permit ip 192.168.1.0 255.255.255.0 NTC2 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.224 255.255.255.224
access-list CMSClient_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list cms_access remark Rule to allow CMS support in
access-list outside_access_in permit tcp host CMS-Support interface outside object-group CMS-Support
access-list outside_access_in permit udp host CMS-Support interface outside object-group CMS-Support
access-list outside_access_in permit tcp any interface outside object-group jGo
access-list outside_cryptomap_60 permit ip 192.168.1.0 255.255.255.0 CassCity 255.255.0.0
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 12.2.81.170 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip audit signature 1000 disable
ip local pool CMSPool 192.168.1.235-192.168.1.245
pdm location Ligonier 255.255.0.0 outside
pdm location 192.168.1.224 255.255.255.224 outside
pdm location NTC2 255.255.255.0 outside
pdm location 192.168.1.253 255.255.255.255 inside
pdm location CMS-Support 255.255.255.255 outside
pdm location CassCity 255.255.0.0 outside
pdm location 12.2.81.170 255.255.255.255 inside
pdm location FTPServer 255.255.255.255 inside
pdm location 12.2.81.169 255.255.255.255 outside
pdm location 12.2.81.169 255.255.255.255 inside
pdm location FTPServer 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 397 192.168.1.253 397 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 397 192.168.1.253 397 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.253 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet 192.168.1.253 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 446 192.168.1.253 446 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 449 192.168.1.253 449 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8870 192.168.1.253 8870 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8871 192.168.1.253 8871 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8872 192.168.1.253 8872 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8873 192.168.1.253 8873 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8874 192.168.1.253 8874 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8875 192.168.1.253 8875 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8876 192.168.1.253 8876 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
11-19-2008 06:20 PM
part 3 of config
route outside 0.0.0.0 0.0.0.0 12.2.81.161 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 12.2.81.169 timeout 5 protocol TCP version 4
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 64.184.36.11
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 12.150.59.70
crypto map outside_map 40 set transform-set ESP-DES-SHA
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 12.159.34.3
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 64.184.36.11 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 12.150.59.70 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 12.159.34.3 netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup CMSClient address-pool CMSPool
vpngroup CMSClient dns-server 192.168.1.250
vpngroup CMSClient default-domain ami.local
vpngroup CMSClient split-tunnel CMSClient_splitTunnelAcl
vpngroup CMSClient split-dns 192.168.1.250 10.4.0.250
vpngroup CMSClient pfs
vpngroup CMSClient idle-time 1800
vpngroup CMSClient password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group CMSClient accept dialin pptp
vpdn group CMSClient ppp authentication pap
vpdn group CMSClient client configuration address local CMSPool
vpdn group CMSClient client configuration dns 192.168.1.250
vpdn group CMSClient pptp echo 60
vpdn group CMSClient client authentication local
vpdn username ron password *********
vpdn enable outside
vpdn enable inside
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
11-19-2008 08:43 PM
Hi,
Where is the websense server located? Based on your IP Address, it looks like the server is located on the outside. So, the below statement needs to be corrected.
Old Config:
url-server (inside) vendor websense host 12.2.81.169 timeout 5 protocol TCP version 4
New Config:
url-server (outside) vendor websense host 12.2.81.169 timeout 5 protocol TCP version 4
Regards,
Arul
*Pls rate if it helps*
11-20-2008 08:50 AM
Thank you very much, issue resolved
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide