Websence with IOS ??

ptuttle · ‎01-10-2003

Hello,

Has anyone succesfully gotten Websense product to work with an IOS router?

We have downloded IOS ver 12.2(11)YU this code is suppose to work with Websense. Websense tells us officailly they have not announced that it would work, but tell us that the current version of Websense 4.4.1 will work.

Anyone runing this with IOS ?

If so how was the router configured?

thanks

-pat

robertgile · ‎01-10-2003

Is the version of WebSense for Cisco IOS? I think the actual WebSense program has to be designed to listen from an IOS router. I dont think you can mix them up.

RobertG...

ptuttle · ‎01-10-2003

Thanks for the reply.

It is the PIX addition but according to Websense, this is the correct version and they don't specifically have a version for the IOS code. They tell me that the same APIs are involved.

-pat

robertgile · ‎01-10-2003

Really? Let me know if you get it to work. I am currently running the PIX version myself. Do you have a packet sniffer to see if the packets are actually getting out of the router and maybe the WebSense server just isnt responding? Also is there any kind of debugging [router] you can turn on?

RobertG...

kevin-reynolds · ‎01-18-2003

Looks like you need to be running the IOS Firewall feature set.

http://www.cisco.com/en/US/products/hw/routers/ps2167/prod_bulletin09186a008011da2e.html

Kevin

ptuttle · ‎01-19-2003

Thanks for the url. We got it working with IOS. The key was doing the inspect statements (ie firewall feature set) So you are right this is key.

thanks

-pat

robertgile · ‎01-19-2003

Good, can you post a sample config of the CBAC...

Thanks,

RobertG...

robertgile · ‎01-19-2003

At most of our branch offices. we have 2600's installed, I cant find that IOS image for any higher end router [2600 or 3600].

I am hoping that in the new IOS version 12.2(14)T, it supports higher end routers, such as the 2600's. According the link, it looks like 12.2(14)T will be the final release at the end of the first Quarter.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2113/products_qanda_item09186a008010a40e.shtml

RobertG...

ptuttle · ‎01-20-2003

Hello,

Here is a sample config we got to work with WebSense. There is some VPN stuff in here but essentially it was the inspect statements and java list 51 that got it working. ALSO to my knowlwedge it has to be Ver. 12.2(11)YU

Not sure if this is out for the 2600??

-pat

Affordable_Fram#show ver

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1700-K9O3SY7-M), Version 12.2(11)YU, EARLY DEPLOYMENT

RELEASE SOFTWARE (fc1)

Synched to technology version 12.2(13.1u)T

TAC Support: http://www.cisco.com/tac

Compiled Sat 21-Dec-02 02:37 by ealyon

Image text-base: 0x80008120, data-base: 0x80FF6474

ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1)

ROM: C1700 Software (C1700-K9O3SY7-M), Version 12.2(11)YU, EARLY DEPLOYMENT RELE

ASE SOFTWARE (fc1)

Affordable_Fram uptime is 2 days, 21 hours, 23 minutes

System returned to ROM by power-on

System image file is "flash:c1700-k9o3sy7-mz.122-11.YU.bin"

cisco 1721 (MPC860P) processor (revision 0x100) with 44033K/5119K bytes of memor

y.

Processor board ID FOC063708FZ (2881620591), with hardware revision 0000

MPC860P processor: part number 5, mask 2

Bridging software.

X.25 software, Version 3.0.0.

1 Ethernet/IEEE 802.3 interface(s)

1 FastEthernet/IEEE 802.3 interface(s)

1 Virtual Private Network (VPN) Module(s)

32K bytes of non-volatile configuration memory.

16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

Affordable_Fram#

Affordable_Fram#wr term

Building configuration...

Current configuration : 3643 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Affordable_Fram

!

logging buffered 4096 debugging

no logging console

enable password ZA19RX

!

username coghlin_cns password 0 tryit789

username coghlin password 0 coghlin

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

ip inspect name FastEthernet0 http java-list 51 urlfilter timeout 30

ip inspect name FastEthernet0 tcp

ip inspect name FastEthernet0 ftp

ip inspect name FastEthernet0 smtp

ip inspect name FastEthernet0 h323

ip inspect name FastEthernet0 rcmd

ip inspect name FastEthernet0 udp

ip inspect name FastEthernet0 cuseeme

ip inspect name FastEthernet0 realaudio

ip inspect name FastEthernet0 streamworks

ip inspect name FastEthernet0 vdolive

ip inspect name FastEthernet0 sqlnet

ip urlfilter allow-mode on

ip urlfilter audit-trail

ip urlfilter urlf-server-log

ip urlfilter alert

ip urlfilter server vendor websense 192.168.1.10 timeout 20

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 11

encr 3des

authentication pre-share

group 2

crypto isakmp key a3%h&5$887Y%c9NR address 1.2.3.4

crypto isakmp key test address 2.4.6.8 no-xauth

!

crypto isakmp client configuration group remote_access

key ciscociscoRX

dns 1.1.1.1

pool ippool

acl 150

!

crypto ipsec transform-set remotesite esp-3des esp-md5-hmac

crypto ipsec transform-set Amica esp-3des esp-md5-hmac

!

crypto dynamic-map mymap 13

set transform-set remotesite

crypto dynamic-map mymap 20

set peer 2.4.6.8

set transform-set remotesite

match address 121

!

crypto map mymap client authentication list userauthen

crypto map mymap isakmp authorization list groupauthor

crypto map mymap client configuration address respond

crypto map mymap 13 ipsec-isakmp dynamic mymap

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

ip nat inside

!

interface Ethernet0

ip address 2.4.6.7 255.255.255.248

ip nat outside

no ip route-cache

ip policy route-map nonat

no ip mroute-cache

half-duplex

crypto map mymap

!

interface FastEthernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

no ip route-cache

no ip mroute-cache

speed auto

!

router eigrp 100

network 172.16.0.0

network 192.168.1.0

auto-summary

!

ip local pool ippool 172.16.30.1 172.16.30.254

ip nat inside source list 122 interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 2.4.6.18

no ip http server

no ip http secure-server

ip pim bidir-enable

!

ip access-list extended console

ip access-list extended dns-servers

ip access-list extended idletime

ip access-list extended inacl

ip access-list extended service

ip access-list extended timeout

ip access-list extended wins-servers

!

access-list 1 permit any

access-list 51 permit 192.168.1.0 0.0.0.255

access-list 51 permit 172.16.30.0 0.0.0.255

access-list 121 permit ip 192.168.1.0 0.0.0.255 any

access-list 122 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 122 permit ip 192.168.1.0 0.0.0.255 any

access-list 130 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 130 permit ip 192.168.2.0 0.0.0.255 any

access-list 150 permit ip 192.168.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 130

set ip next-hop 1.1.1.2

!

radius-server authorization permit missing Service-Type

!

line con 0

line aux 0

line vty 0 4

password 7 11283B26341B180F0B3E393D

!

no scheduler allocate

end

Affordable_Fram#