We help IT Professionals succeed at work.

Websense integrated with Cisco ASA 5510

CityofKerrville
on
Medium Priority
9,127 Views
Last Modified: 2012-06-21
Good Morning EE,

We recently set up our new websense server to integrate with our ASA 5510.  I have read through the deployment guide and also followed the instructions found here :

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23288643.html

I think we are still missing something and have a couple of questions.

When integrated with the ASA, do we still need to worry about the port spanning on the switch that the server is plugged directly into?
During some initial testing last Friday we were able to see the Websense server in action as I set up a est policy to block all for myself, though when we set monitor only policy for the entire domain and let it run through the weekend, it returned no data when we ran a report to see what was monitored.  Additionally, the monitoring somehow blocked our IronPort email filter from getting updates.

Does anyone have any ideas as to what we could me missing?  Documentation is good, Diagrams are better, and set-by-step walk-through's are fantastic.  As stated above I have already read through the deployment guide (which really says nothing helpful anyway) and any previous posts here on EE but still need a little more guidance.

NOTE:  Users are link either directly to the same switch as the Websense server or through various WAN links (T1, Metro Ethernet, Managed VPN) behind a Cisco 2821 router.
Websense.jpg
Comment
Watch Question

Top Expert 2010
Commented:
Sounds like the websense is setup correctly if you were able to setup a policy and block yourself from accessing websites.  

I'll guess that the issue will be found in either the subnets you are monitoring in the ASA code or the Websense policy itself  and how it is set to catch traffic.  

Which subnet does your email server reside in?  

In your Filter URL command, what subnets do you have specified?  

In your Wesense box, can you summarize the policy?  ARe you using all ips for monitoring, all domain users?  

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
MikeKane,

Give a little bit to compile the answers to you question and I will get back to you.  Thanks you for the prompt response.

Author

Commented:
MikeKane,

1.  All of our server including the email filter that could not get updates reside in the 192.168.101.0 subnet

2.  here is what is currently in the firewall in regards to Websense
url-server (Inside) vendor websense host 192.168.101.245 timeout 10 protocol TCP version 4 connections 5
url-cache dst 128
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

3.  In Websense itself, we set up the default policy (monitoring only) and we pointed it to ALL client on the domain.
Top Expert 2010
Commented:
The ASA code looks correct and if this has not changed since your successful test, then I think we can safely eliminate the ASA code.     Again, if your test on yourself blocked the web requests and the monitoring and logging only is not catching anything, I would go back and triple check the policy you set for monitoring.    
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.