01-10-2003 12:21 PM - edited 03-09-2019 01:38 AM
Hello,
Has anyone succesfully gotten Websense product to work with an IOS router?
We have downloded IOS ver 12.2(11)YU this code is suppose to work with Websense. Websense tells us officailly they have not announced that it would work, but tell us that the current version of Websense 4.4.1 will work.
Anyone runing this with IOS ?
If so how was the router configured?
thanks
-pat
01-10-2003 12:25 PM
Is the version of WebSense for Cisco IOS? I think the actual WebSense program has to be designed to listen from an IOS router. I dont think you can mix them up.
RobertG...
01-10-2003 12:38 PM
Thanks for the reply.
It is the PIX addition but according to Websense, this is the correct version and they don't specifically have a version for the IOS code. They tell me that the same APIs are involved.
-pat
01-10-2003 12:44 PM
Really? Let me know if you get it to work. I am currently running the PIX version myself. Do you have a packet sniffer to see if the packets are actually getting out of the router and maybe the WebSense server just isnt responding? Also is there any kind of debugging [router] you can turn on?
RobertG...
01-18-2003 09:01 AM
Looks like you need to be running the IOS Firewall feature set.
http://www.cisco.com/en/US/products/hw/routers/ps2167/prod_bulletin09186a008011da2e.html
Kevin
01-19-2003 08:31 AM
Thanks for the url. We got it working with IOS. The key was doing the inspect statements (ie firewall feature set) So you are right this is key.
thanks
-pat
01-19-2003 01:54 PM
Good, can you post a sample config of the CBAC...
Thanks,
RobertG...
01-19-2003 07:54 PM
At most of our branch offices. we have 2600's installed, I cant find that IOS image for any higher end router [2600 or 3600].
I am hoping that in the new IOS version 12.2(14)T, it supports higher end routers, such as the 2600's. According the link, it looks like 12.2(14)T will be the final release at the end of the first Quarter.
RobertG...
01-20-2003 11:36 AM
Hello,
Here is a sample config we got to work with WebSense. There is some VPN stuff in here but essentially it was the inspect statements and java list 51 that got it working. ALSO to my knowlwedge it has to be Ver. 12.2(11)YU
Not sure if this is out for the 2600??
-pat
Affordable_Fram#show ver
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-K9O3SY7-M), Version 12.2(11)YU, EARLY DEPLOYMENT
RELEASE SOFTWARE (fc1)
Synched to technology version 12.2(13.1u)T
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sat 21-Dec-02 02:37 by ealyon
Image text-base: 0x80008120, data-base: 0x80FF6474
ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1)
ROM: C1700 Software (C1700-K9O3SY7-M), Version 12.2(11)YU, EARLY DEPLOYMENT RELE
ASE SOFTWARE (fc1)
Affordable_Fram uptime is 2 days, 21 hours, 23 minutes
System returned to ROM by power-on
System image file is "flash:c1700-k9o3sy7-mz.122-11.YU.bin"
cisco 1721 (MPC860P) processor (revision 0x100) with 44033K/5119K bytes of memor
y.
Processor board ID FOC063708FZ (2881620591), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
1 FastEthernet/IEEE 802.3 interface(s)
1 Virtual Private Network (VPN) Module(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Affordable_Fram#
Affordable_Fram#wr term
Building configuration...
Current configuration : 3643 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Affordable_Fram
!
logging buffered 4096 debugging
no logging console
enable password ZA19RX
!
username coghlin_cns password 0 tryit789
username coghlin password 0 coghlin
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
ip inspect name FastEthernet0 http java-list 51 urlfilter timeout 30
ip inspect name FastEthernet0 tcp
ip inspect name FastEthernet0 ftp
ip inspect name FastEthernet0 smtp
ip inspect name FastEthernet0 h323
ip inspect name FastEthernet0 rcmd
ip inspect name FastEthernet0 udp
ip inspect name FastEthernet0 cuseeme
ip inspect name FastEthernet0 realaudio
ip inspect name FastEthernet0 streamworks
ip inspect name FastEthernet0 vdolive
ip inspect name FastEthernet0 sqlnet
ip urlfilter allow-mode on
ip urlfilter audit-trail
ip urlfilter urlf-server-log
ip urlfilter alert
ip urlfilter server vendor websense 192.168.1.10 timeout 20
ip audit notify log
ip audit po max-events 100
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
crypto isakmp key a3%h&5$887Y%c9NR address 1.2.3.4
crypto isakmp key test address 2.4.6.8 no-xauth
!
crypto isakmp client configuration group remote_access
key ciscociscoRX
dns 1.1.1.1
pool ippool
acl 150
!
!
crypto ipsec transform-set remotesite esp-3des esp-md5-hmac
crypto ipsec transform-set Amica esp-3des esp-md5-hmac
!
crypto dynamic-map mymap 13
set transform-set remotesite
crypto dynamic-map mymap 20
set peer 2.4.6.8
set transform-set remotesite
match address 121
!
!
crypto map mymap client authentication list userauthen
crypto map mymap isakmp authorization list groupauthor
crypto map mymap client configuration address respond
crypto map mymap 13 ipsec-isakmp dynamic mymap
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
ip nat inside
!
interface Ethernet0
ip address 2.4.6.7 255.255.255.248
ip nat outside
no ip route-cache
ip policy route-map nonat
no ip mroute-cache
half-duplex
crypto map mymap
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
speed auto
!
router eigrp 100
network 172.16.0.0
network 192.168.1.0
auto-summary
!
ip local pool ippool 172.16.30.1 172.16.30.254
ip nat inside source list 122 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 2.4.6.18
no ip http server
no ip http secure-server
ip pim bidir-enable
!
!
!
ip access-list extended console
ip access-list extended dns-servers
ip access-list extended idletime
ip access-list extended inacl
ip access-list extended service
ip access-list extended timeout
ip access-list extended wins-servers
!
access-list 1 permit any
access-list 51 permit 192.168.1.0 0.0.0.255
access-list 51 permit 172.16.30.0 0.0.0.255
access-list 121 permit ip 192.168.1.0 0.0.0.255 any
access-list 122 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 122 permit ip 192.168.1.0 0.0.0.255 any
access-list 130 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 permit ip 192.168.2.0 0.0.0.255 any
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 130
set ip next-hop 1.1.1.2
!
radius-server authorization permit missing Service-Type
!
line con 0
line aux 0
line vty 0 4
password 7 11283B26341B180F0B3E393D
!
no scheduler allocate
end
Affordable_Fram#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide