Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setting up URL Filtering through a VPN connection.

Status
Not open for further replies.
irbk

irbk

MIS
Joined
Oct 20, 2004
Messages
578
Location
US
Hello,
We are trying to set up Websense on our network for internet filtering. We have it up and running in our central location and it works with out flaw. However, we are now starting to work on our external locations (that are connected to the central location VIA Pix to Pix VPN connections) and are not having any success getting it to work. This is the config of my external Pix.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nY7BQPNHk/cPld4u encrypted
passwd nY7BQPNHk/cPld4u encrypted
hostname Sandiego
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 172.16.0.0 Milwaukee
name 192.168.7.0 Raleigh
name 192.168.5.0 Ventura
name 192.168.4.0 Chicago
name 192.168.9.0 LasVegas
name 192.168.2.0 Oakridge
name 192.168.6.0 Madison
name 192.168.3.0 Atlanta
access-list inside_outbound_nat0_acl permit ip 192.168.8.0 255.255.255.0 Milwaukee 255.255.0.0
access-list inside_outbound_nat0_acl permit ip 192.168.8.0 255.255.255.0 Raleigh 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.8.0 255.255.255.0 Ventura 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.8.0 255.255.255.0 Chicago 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.8.0 255.255.255.0 LasVegas 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.8.0 255.255.255.0 Oakridge 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.8.0 255.255.255.0 Madison 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.8.0 255.255.255.0 Atlanta 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.8.0 255.255.255.0 Milwaukee 255.255.0.0
access-list outside_cryptomap_20 permit ip 192.168.8.0 255.255.255.0 Madison 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.8.0 255.255.255.0 Atlanta 255.255.255.0
access-list outside_access_in remark CCU
access-list outside_access_in permit ip host <CCU_External_IP> any
access-list outside_access_in remark TN Corporate
access-list outside_access_in permit ip host <External_IP_of_Central_PIX> any
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any traceroute
access-list outside_cryptomap_40 permit ip 192.168.8.0 255.255.255.0 Raleigh 255.255.255.0
access-list outside_cryptomap_60 permit ip 192.168.8.0 255.255.255.0 Ventura 255.255.255.0
access-list outside_cryptomap_80 permit ip 192.168.8.0 255.255.255.0 Chicago 255.255.255.0
access-list outside_cryptomap_100 permit ip 192.168.8.0 255.255.255.0 LasVegas 255.255.255.0
access-list outside_cryptomap_120 permit ip 192.168.8.0 255.255.255.0 Oakridge 255.255.255.0
pager lines 24
icmp permit any traceroute inside
mtu outside 1500
mtu inside 1500
ip address outside <External_Pix_IP> <External_Pix_Subnet>
ip address inside 192.168.8.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.8.0 255.255.255.0 inside
pdm location Milwaukee 255.255.0.0 outside
pdm location <CCU_External_IP> 255.255.255.255 outside
pdm location <External_IP_of_Central_PIX> 255.255.255.255 outside
pdm location 192.168.8.10 255.255.255.255 inside
pdm location Raleigh 255.255.255.0 outside
pdm location Ventura 255.255.255.0 outside
pdm location Chicago 255.255.255.0 outside
pdm location LasVegas 255.255.255.0 outside
pdm location Oakridge 255.255.255.0 outside
pdm location Atlanta 255.255.255.0 outside
pdm location Madison 255.255.255.0 outside
pdm location 172.16.1.25 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 <Internal_Server> 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 <DSL_Modem_IP> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (outside) vendor websense host 172.16.1.25 timeout 5 protocol TCP version 1
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http <CCU_External_IP> 255.255.255.255 outside
http <External_IP_of_Central_PIX> 255.255.255.255 outside
http 192.168.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer <External_IP_of_Central_PIX>
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer <External_Office>
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer <External_Office>
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 80 ipsec-isakmp
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer <External_Office>
crypto map outside_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer <External_Office>
crypto map outside_map 100 set transform-set ESP-3DES-MD5
crypto map outside_map 120 ipsec-isakmp
crypto map outside_map 120 match address outside_cryptomap_120
crypto map outside_map 120 set peer <External_Office>
crypto map outside_map 120 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address <External_Office> netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address <External_Office> netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address <External_Office> netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address <External_Office> netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address <External_Office> netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address <External_Office> netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.8.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
url-block url-mempool 1500
url-block url-size 4
url-block block 128
terminal width 80
Cryptochecksum:9f1fdd12c4888932aadbffa703c9de54
: end
[OK]

According to Websense you need to add the following lines to the config.

access-list 102 permit ip host <pix_outside_IP> host <websense_server_ip>

and

access-list nonat permit ip host <pix_outside_IP> host <websense_server_ip>

When I add these lines, I am still unable to get the external pix to foward the request to the websense server. Also if I go into the Pix PDM, go to "Options" and then "Show Commands Ignored by PDM on Firewall" it shows the above two commands as being ignored. I think I have figured out that it wasn't able to parse the commands because an access list needs to be applied to a specific interface (be it inside or outside). What I don't know is how to properly get these commands into the PIX. Anyone try to do the same thing or have any suggestions?

Thanks in advance.
 
Status
Not open for further replies.

Similar threads

jobsp90
  • Locked
  • Question Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
529
DavetheChef
DavetheChef
quazimotto
  • Locked
  • Question Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
316
quazimotto
quazimotto
bfordz
  • Locked
  • Question Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
355
bfordz
bfordz
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
561
CPM86
CPM86
B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
403
badwolf1686
B

Part and Inventory Search

Sponsor

Back
Top