Websense URL Filtering

pkapoor · ‎08-15-2006

I am trying to setup Websense URL filtering. The configuration is pasted below. IOS version "c1841-advipservicesk9-mz.123-14.T6.bin". However, when I do a "sh ip urlfilter config", I see that the Websense URL Filtering is disabled.

-----------------------------------------

Router#wr t

Building configuration...

Current configuration : 1728 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

enable secret level xxxx

enable password xxx

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

no ip dhcp use vrf connected

!

ip inspect name myfw http urlfilter

ip inspect name myfw ftp

ip inspect name myfw smtp

ip inspect name myfw h323

ip urlfilter cache 12000

ip urlfilter exclusive-domain permit .weapons.com

ip urlfilter exclusive-domain deny .nbc.com

ip urlfilter exclusive-domain permit http://www.cisco.com

ip urlfilter audit-trail

ip urlfilter server vendor websense 10.215.129.121

!

no ftp-server write-enable

!

no crypto isakmp ccm

!

interface FastEthernet0/0

ip address 10.215.129.120 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 100.100.x.x.255.255.0

ip access-group 102 in

ip nat outside

ip inspect myfw out

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

shutdown

!

ip classless

!

ip http server

no ip http secure-server

!

access-list 102 permit icmp any any

access-list 102 deny tcp any any

access-list 102 deny udp any any

access-list 102 deny ip any any

!

control-plane

!

line con 0

line aux 0

line vty 0 4

exec-timeout 0 0

password xxx

login

!

end

Router#

---------------------------------

Router# sh ip urlfilter config

Websense URL Filtering is DISABLED

Primary Websense server configurations

=========================================

Websense server IP address Or Host Name: 10.215.129.121

Websense server port: 15868

Websense retransmission time out: 6 (in seconds)

Websense number of retransmission: 2

Secondary Websense servers configurations

============================================

Other configurations

=====================

Allow Mode: OFF

System Alert: ENABLED

Audit Trail: ENABLED

Log message on Websense server: DISABLED

Maximum number of cache entries: 12000

Maximum number of packet buffers: 200

Maximum outstanding requests: 1000

Router#

------------------------------

Any help would be appreciated.

Paras

a.kiprawih · ‎08-15-2006

Hi,

The urlfilter is OFF by default. You have to turn it ON using the following command:

router(config)#ip urlfilter allowmode [on | off]

ON - Allows HTTP requests to pass to the end user if all Websense servers are down.

OFF - Blocks all HTTP requests if all Websense servers are down; off is the default setting.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b0e.html#wp1027188

** refer to Steps 12.

Rgds,

AK

pkapoor · ‎08-16-2006

Thanks for the response.

Step 12 is an optional step and does not turn on URL filtering. It just turns on/off the DEFAULT ACTION if all URL filtering servers are DOWN.

----------------------------

(Optional) Turns on the default mode of the filtering systems.

?on?Allows HTTP requests to pass to the end user if all Websense servers are down.

?off?Blocks all HTTP requests if all Websense servers are down; off is the default setting.

----------------------------

Anyways, I did try turning on the allow-mode but I still see that Websense URL Filtering is DISABLED.

Fernando_Meza · ‎08-16-2006

Hi .. the config seems OK . I suggest you upgrading to c1841-advipservicesk9-mz.123-14.T7.bin as the one you are current using had several issues after been released.

http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/printsa.pl?get_crypto=&data_from=&hardware_name=1841&software_name=&release_name=12.3.14T6&majorRel=12.3&state=:HW:RL&type=Early%20Deployment&file=12.3.14T6.c.html

Dear Cisco Customer,

Cisco engineering has identified at least one serious software issue with the release which you have selected that may affect your use of these software. Please review the Software Advisory notice below to determine if the issue(s) apply to your network. You may proceed to download this software if you have no concerns with the issue(s) described.

For more comprehensive information about what is included in this software, please refer to the Cisco software Release Notes. For more information about Cisco Advisories, please review Cisco Advisory Product Bulletin #1654.

I hope it helps .. please rate it if it does !!!

pkapoor · ‎08-17-2006

That did not help Fernando.

-----------------------------------

Router#sh ver

Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.3(14)T7, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Wed 22-Mar-06 16:41 by pwade

ROM: System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)

Router uptime is 3 minutes

System returned to ROM by reload at 13:40:15 UTC Thu Aug 17 2006

System image file is "flash:c1841-advipservicesk9-mz.123-14.T7.bin"

-----------------------------------

Router#sh ip url con

Websense URL Filtering is DISABLED

Primary Websense server configurations

=========================================

Secondary Websense servers configurations

============================================

Websense server IP address Or Host Name: 10.215.129.121

Websense server port: 15868

Websense retransmission time out: 6 (in seconds)

Websense number of retransmission: 2

Other configurations

=====================

Allow Mode: ON

System Alert: ENABLED

Audit Trail: ENABLED

Log message on Websense server: DISABLED

Maximum number of cache entries: 12000

Maximum number of packet buffers: 200

Maximum outstanding requests: 1000

-----------------------------------

dzambranot · ‎08-29-2006

Any luck?

I'm having the exact same problem and don't have a clue.

Thanks, regards

cprice2k7 · ‎08-29-2006

Here's a Websense document on how to integrate their system with Cisco devices. It covers IOS routers, ASA devices and PIX firewalls. HTH.

pkapoor · ‎08-29-2006

Yes, I managed to get it working.

First thing I did was test if the router could ping the Websense server (assuming that ICMP is allowed). I found that the router could not reach the Websense server. This is because of some internal routing issues and the VPN's interesting traffic (my Websense admin had placed the server somewhere in Timbuktu) :-D

Once I got the routing issue resolved, my problem was fixed.

However, now I am having a different issue. Now the dis-allowed pages will get blocked but the clients do not get the re-directed page from the Websense server.

Any ideas on this?

eracer106 · ‎05-10-2010

This might be too late but you might want to check your access-list. Looks like that same interface is also using the 102 access-list so it might be blocking the replies you get from your Websense server. But other then that, i don't see anything wrong with the config.