Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1495
Views
5
Helpful
3
Replies

Websense URL-Filter via L2L VPN Issues

dan hale
Level 3
Level 3

‎10-23-2011 08:41 PM - edited ‎03-11-2019 02:41 PM

Hi All, We have a remote site that we need to filter via Websense and URL-Filter. L2L is up and works great. However, I cannont seem to get the remote site filtered via the URL-Filter. I followed the below guide from websense but, still cannont seem to get it to work.

http://www.websense.com/support/article/kbarticle/How-do-I-configure-a-remote-ASA-PIX-to-communicate-with-Websense-via-a-VPN-connection

In short the Central and Remote sites look like this:

(LAN Central) 172.31.160.0 /20 ---- (ASA Outside IP) 192.168.1.2 ----Internet----- (ASA outside IP) 192.168.2.2 ------(LAN Remote) 172.31.60.0 /20

Websense Server at Central IP

172.31.160.244

If I issue the " url-server statistics" the websense server shows as down on the remote end.

In short the guide wants you to include the outside address of the firewalls in the L2L and to make sure you NoNat between the LAN and Outside interfaces of the ASA's. As far as I can tell I've done what they have asked but, still comming up short.

I've attached the sanatized configs of both Central and Remote ASA's. Can anyone take a look and see if I'm missing anything from the firewall standpoint?

Thanks in advance,

Dan

Labels:
115886-RemoteSite.txt.zip
115887-CentralSite.txt.zip
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-24-2011 11:57 PM

The remote site URL filter command should source it from interface: inside, instead of outside so it actually routes via the L2L tunnel.

It should say:

url-server (inside) vendor websense host 172.31.160.244 timeout 30 protocol TCP version 1 connections 5

Hope that helps.

dan hale
Level 3
Level 3
In response to Jennifer Halim

‎10-31-2011 03:30 PM

Thanks Jennifer for your help....Unfotunalty even with the above this did not work. We have a back up Pont to Point T1 that I forced the traffic to go out instead. Once I forced it through the T1 the command: "show URL Statictics" showed that the websense server was registered.

Thanks,

Dan

0 Helpful

derly_ali
Level 1
Level 1
In response to dan hale

‎11-16-2011 11:04 AM

Hi Playne,

I recently solve an issue like yours putting the command 'management-access inside' in the configure mode.

the teory is that the ASA needs to know the websense from the inside interface with the command that propose Jennifer,

i hope this resolve your problem,

regards,

derly_ali

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card