cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
293
Views
5
Helpful
4
Replies

PIX-PIX: Forwarding Websense lookups over VPN tunnel?

cscott
Level 1
Level 1

I'm pretty sure you cant forward Websense lookups from a remote PIX over a VPN tunnel to a websense server at the Corp HQ. Is that correct?

Is this a feature we're going to see in the 7.0 OS?

Given the nature of the Websense licensing (they dont care how many sites you have in the same company that are being filtered by one license key) I would assume this to be a PIX issue. We would love to have this feature, and I'm sure others would too.

4 Replies 4

drolemc
Level 6
Level 6

This info comes second-hand, so try it and see if it works. Add the outside interfaces of the VPN endpoint in the interesting traffic definition. The websense traffic should now be able to move over the tunnel.

I guess I missed the original post the first time around. Yes, as the above post pointed out, the scenerio of passing Websense traffic across a Lan-Lan tunnel will indeed work by adding the remote PIX outside IP address into the crypto ACL. However, I will warn you that in practice this is a bad design. Invariably what happens is the responses from the Internet get back to the remote PIX before the responses from the Websense server. This causes delays, retransmissions, and in the end, very unhappy users.

As mentioned, it will work but please be prepared for an alternative solution if you choose to try this.

Sorry to put a damper on your idea...just a heads up.

Scott

Yes that does in fact work. Thanks!!

Scott,

Have you guys given any thought to not sending the request to the website and to Websense at the same time? From an administrative point of view, if my company's employees are doing inappropriate things, I dont just want Websense to block it, I want it to kill the traffic completely. I do not want that traffic on my WAN link going out to the internet.

How much latency would it introduce for this to be changed so that the PIX does not forward the request to the website until it recieves the reply back from Websense? Maybe give the administrator an option of how he/she wants to do it?

Thanks,

Chris

Glad to hear you have it working.

As for your question, I am not aware of any planned changes to the way the PIX works with respect to URL filtering. We implemented it the way it is now in an effort to reduce any latency and make it so the end users don't even know that they are being filtered. Implementing it the way you suggest would certainly increase the latency that the end user sees though I cannot provide you a hard and fast number for this as each environment is going to be a little different. I see the merits to adding a "nerd knob" as you suggest to let the administrator determine how they want the PIX to behave but again, I am not aware of any plans for this type of functionality at this time. If this is something you would like, I would encourage you to talk to your local Cisco account team and ask them to raise an enhancement request on your behalf for this functionality.

Sorry for not being able to give you the news you wanted to hear.

Scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: