Hi Sourav,

Can you please explain me below line in more detail by giving an example ---

If  Websense is acting as proxy so all connections would be proxied from its  IP. So, ASA interface acl should allow traffic from proxy server IP and  not the clients IP.

Also when you say ASA interface ACL what does this ACL mean which interface in ASA we apply this ACL?

Thanks

Mahesh

Message was edited by: mahesh parmar

Hi Mahesh,

We should apply acl on inside interface.

If traffic is udp base then we need to allow the traffic from both inside and outside interface, as there is no entry in state  table for upd traffic.

Thanks

Surya.

Also, we don't need to add access-list on outside even if traffic is UDP, ASA preserves state information for UDP as well so it allows replies by default. You need an access-list on outside only if you wish to allow some inbound service like you are hosting a web server or a terminal server etc.

-

Sourav

Hi Mahesh,

Sure. Now, generally there would be a proxy server which will be used by clients to get to internet. Whenever a client sends a request to internet, it actually gets to the proxy server which in turn uses its IP to get to internet and get the requested site and then it delivers that to inside client, thus, essentially not allowing the client to be in direct contact with internet.

Since all data flows through proxy now, wherein you can apply additional checks on data before delivering it to client.

With all that said, proxy server attemps connection to internet on client system's behalf so it makes sense to allow traffic from proxy server IP. Consider this simple diagram:

Inside users-->Proxy Server-->(ASA inside/internal subnet facing interface)ASA(outside/internet facing interface)-->Internet

Now, you can apply an access-list on inside interface of ASA to allow only specific traffic out from inside subnet. So, in this access-list you only need to allow proxy server IP to get to internet and deny the rest. If you allow the clients to access internet directly as well, it defeats the purpose of having a proxy coz clients will download content from internet which could be malicious.

In addition to that, proxy servers can also make your Internet access work more efficiently. If you access a page on a Web site, it is cached (stored) on the proxy server. This means that the next time you go back  to that page, it normally doesn't have to load again from the Web site.  Instead it loads instantaneously from the proxy server.

Let me know if that answers your question.

-

Sourav

Hi Sourav,

Thanks for confirming that ASA is Statefull FW as its remember both tcp/udp traffic.

When on our internet browser we have specfied the location of PAC  file.

also if we have websense in the environmnet.

Then if user opens the internet site then how does traffic flow?

If user go to goole.com then browser points to the location of PAC file first or ASA?

i remember when my pc browser has no pc file location specficied i was unable to access certain websites when i put

the pac file location it allow me access.

So do we have config some websites under pac file do those websites bypass the websense? or ASA?

Thanks

Mahesh

Hi Mahesh,

PAC file define how your browser traffic is routed. There may be many entries in the pac file and you should be able to view your pac file by simply opening the path configured on you browser Internet setting using any browser.

A typical out of a PAC file will be as below.

if (shExpMatch(url, "http://group.cisco.com*"))          

{  return "DIRECT"; }

    else if(shExpMatch(url, "https://abc.org*"))  

{ return "PROXY 192.168.10.10:8080"; }

    else if(shExpMatch(url, "http://xyz.com/*"))              

{ return "PROXY 192.168.100.100:80"; }

When some on tries to browse the url "http://group.cisco.com" the pac file shows this should be routed directly (by pass proxy which is refered as DIRECT on the pac file configuration)..

Likewise when user access "https://abc.org" the traffic would be send to proxy server 192.168.10.10 on port 8080. Please be aware that there may be multiple proxy servers in some organizations. Likewise when user access url "

http://xyz.com/" the traffic will be directed towards 192.168.100.100 on port 80.

To answer your question when user browse google.com (not only google any browser traffic) the traffic always goes to the PAC files. PAC file then determine where to forward this traffic depending on PAC file configuration. The PAC file determine where the traffic should be routed when a http or https request comes and that is the reason why few web sites will are not working with out the proxy pac.

Hope this helps.

Regards

Najaf

Please rate when applicable or helpful !!!

Hi Najaf,

So How is PAC file linked to websense?

When traffic goes to PAC file does it also have configuration to redirect traffic to Websense or ASA?

Regards

Mahesh

Hi Mahesh,

The PAC file will have the information of the proxy server. It looks like in your case your are using the websense as you proxy server. On the sample configuration which i have shared you can see "return "PROXY x.x.x.x " where x.x.x.x is the proxy server ip address.

You will have much understanding once you view your PAC file and co-relate with your proxy ip address.

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

Hi Najaf,

Many thanks for explanation and replying to all the questions.

Seems i can not give any rating as this question is already answered.

Regards 

Mahesh

No problem mate..

Regards

Najaf

How to make rule in Asa for Direct connection.if pac is not used, users can browse internet at ease.