Re: PIX and Websense

justin.donoghue · ‎08-13-2004

Hi my question is when you integrate websense with a PIX can you get the PIX to forward permited traffic back to a gateway on the inside subnet as opposed to going through the firewall to the outside interface and beyond? the existing firewall does not have websense integration so I'm thinking of using a PIX as a kind of proxy to deal with the web filtering and then forwarding traffic out a different gateway on the inside subnet.I presume there is a difficulty with the PIX sending traffic out the same interface it came in on?Thanks in advance.

scoclayton · ‎08-13-2004

In general, you are correct that the above scenerio will not work on the PIX. Packets entering a PIX must have different egress and ingress interfaces in order to pass. The PIX will not re-direct packets back out the same interface where they were received.

A couple of options however, if possible, would be to use .1q interfaces to segment the traffic. I don't know your design but you could possibly bring a trunk to the PIX and have the ingress interface be on one VLAN and the egress interface be on another VLAN. Or, you could take a look at our content engine line of products. They have websense built onto the box and can act as a transparent proxy.

Hope this helps.

Scott

justin.donoghue · ‎08-13-2004

Thanks Scott. It's as I suspected. In the case of the vlan tagging I would still have to "route" traffic out the egrees vlan but with both vlans having different subnet addresses,ie.I would just be replacing the inside outside scenario with a 2 logical vlan interfaces scenario.Thanks again

justin.donoghue · ‎08-25-2004

Hi Scott

Can the content engine module for 2600 etc routers also act as a transparent proxy and integrate with websense? The content switch itself is too costly at the moment