Remote PIX 6.3 VPN Split-Tunnel W/ URL Filter?

NotMeHere · ‎08-21-2007

I have the need to use Websense URL filtering for multiple remote sites that are connected via IPSEC with PIX 501s. A customer has an ASA 7.2 for the hub, and several PIX 501 6.3 for remote offices. They want to allow split-tunneling VPN while using a Websense server at the hub site for URL filtering accross the IPSEC VPN.

Is there a good way to accomplish this?

purohit_810 · ‎08-21-2007

it doen't matter you can configure.

By simple routing or NAT after route concept.

see, What ever your IPSEc subnet route it by firewall where websense configured already. So once traffic will be hit at local lan, it will be use outside connection by websense.

Regards,

Dharmesh Purohit

NotMeHere · ‎08-24-2007

Your message, while cryptic, set me on the path to just try it. And it works out of the box. It also works on IOS Firewall.

Relevant portions of my config are below for those who might see this and need it.

-=PIX 6.3=-

Crypto ACL:

access-list outside_cryptomap_20 permit ip 10.6.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list outside_cryptomap_20 permit ip 10.6.0.0 255.255.0.0 172.16.0.0 255.240.0.0

access-list outside_cryptomap_20 permit ip 10.6.0.0 255.255.0.0 10.0.0.0 255.0.0.0

url-server (inside) vendor websense host 10.0.0.16 timeout 10 protocol TCP version 1

filter url except 0.0.0.0 0.0.0.0 172.16.0.0 255.240.0.0

filter url except 0.0.0.0 0.0.0.0 192.168.0.0 255.255.0.0

filter url except 0.0.0.0 0.0.0.0 10.0.0.0 255.0.0.0

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

management-access inside

-=IOS Firewall 12.4=-

Crypto ACL:

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

ip urlfilter source-interface FastEthernet0/1

ip urlfilter allow-mode on

ip urlfilter server vendor websense 192.168.0.3