Solved: @ Marvin Rhoads & jumora:

Tashi BDFCL · ‎05-16-2014

Hi Everyone,

I am new to Learner to ASA Firewall. Recently we have purchased ASA 5520 with following version:

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

ASA 5520 Adaptive Security Appliance

ASA 5500 Series Content Security Services Mo ASA-SSM-CSC-10-K9

I have configured the ASA with basic configuration. Now i want to implement the webfiltering using Websense on ASA firewall. I dont have any idea about the requirement for this configuration.

I have found the configuration line from google but it seems not working.

My ASA is configured with:

1. outside

2. inside

3. DMZ

I came across with one solution where the websense is configured with DMZ, and i tried in same manner but when i checked the websense server statistics, it shows "DOWN".

I used following line:

url-server (DMZ) vendor websense host 192.168.1.251 timeout 30 protocol TCP version 4 connections 30
filter url 443 192.168.1.0 255.255.255.0 31.13.68.49 255.255.255.255 allow proxy-block longurl-truncate cgi-truncate
filter url except 192.168.1.251 255.255.255.255 0.0.0.0 0.0.0.0 allow
url-cache dst 100
url-block url-mempool 2
url-block url-size 2
url-block block 10

Basically i want to completely block the social websites. I can use the CSC content filtering but when user use the proxy utility then blocked websites gets opened.

Please help me out.

Thanks

jumora · ‎05-27-2014

Yes, and I believe that you can install it on a windows server or there is an appliance from websense but you would need to talk to them for details.

Value our effort and rate the assistance!

View solution in original post

Marvin Rhoads · ‎05-16-2014

Can you reach (ping) the Websense server from your ASA?

If so, have you added the ASA as an integrated device on the Websense console? (Reference)

Tashi BDFCL · ‎05-16-2014

@ Marvin Rhoads & jumora:

Thanks for the response. Since i am new to websense i have few questions which i need to know:

1. Do we need to have separate PC to configure as Websense server? If yes then how?

2. Does this websense server will filter the website completely? Since the network users they are pretty smart enough as they use third party PROXY utility to bypass the blocked website.

3. Will it effect the performance of ASA after configuring the websense?

Thanks

jumora · ‎05-22-2014

Websense is a third party product that works in conjunction with the ASA so you need to purchase it.

2. The ASA has an option with the websense (url-filtering) configuration to block proxy but now in days people use all type of proxies so you might need to monitor your network connections or block any unknown port to go out through the firewall.

The ASA URL filtering document, you will find the proxy-block option:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97277-pix-asa-url-filtering.html#task3

Each function has some sort of impact, will it be positive or negative, I've seen a lot of ASA configured with websense without any problems if that is what you are asking.

Value our effort and rate the assistance!

Tashi BDFCL · ‎05-25-2014

Hi,

Do i need to prepare separate machine as a websense server?

jumora · ‎05-26-2014

What do you mean by that question:

Do i need to prepare separate machine as a websense server?

The question is related to websense requirements I believe that there are several options, you get a server or you buy the appliance.

For further details please ask websense vendor.

Value our effort and rate the assistance!

Tashi BDFCL · ‎05-26-2014

Hi,

I mean to say about this line:

url-server (if_name) vendor websense host <IP of Websense server > protocol tcp version

where it says <IP Address of Websense server>, what ip address shall i give here, if it is talking about websense server then i mean to ask, is it require to have a Server or Computer to configure as websense server?

THanks

jumora · ‎05-27-2014

Yes, and I believe that you can install it on a windows server or there is an appliance from websense but you would need to talk to them for details.

Value our effort and rate the assistance!

jumora · ‎05-16-2014

First:

Wrong command:

no filter url 443 192.168.1.0 255.255.255.0 31.13.68.49 255.255.255.255 allow proxy-block longurl-truncate cgi-truncate

Correct command

filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

Wrong command:

no filter url except 192.168.1.251 255.255.255.255 0.0.0.0 0.0.0.0 allow

Correct command:

filter url except 192.168.1.251 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block longurl-truncate cgi-truncate

Please get complete TCP/IP configuration from server and remove and re-add all websense related configuration.

https://tools.cisco.com/bugsearch/bug/CSCto58232

https://tools.cisco.com/bugsearch/bug/CSCtx20108

FYI this article is pretty nice:

http://es.websense.com/support/article/t-kbarticle/Configure-PIX-Firewall-ASA-for-Websense-Integration

Value our effort and rate the assistance!

How to configure Websense on ASA 5520 Firewall?