Websense (Urlfilter), Please Help.

[23009]

I have two groups of computers: First group IP are 172.17.5.x 255.255.0.0

Second Group IP are 172.17.6.X 255.255.0.0

I want to keep the first group can access the whole internet. The second group just only access

http://www.cisco.com(example)

_____Following is my configuration. but not success. all computers can access

http://www.cisco.com,

the firt group computers acess nothing except cisco.com. What should I change in following context? If using websense (urlfilter) is not good option, what should I choose?


ip inspect name web http java-list 2 urlfilter
!
!
ip urlfilter allow-mode off
ip urlfilter exclusive-domain permit .cisco.com
access-list 2 permit any

interface FastEthernet0/1 //connected to LAN
ip address 172.16.0.1 255.255.0.0

ip nat inside
interface FastEthernet0/0 //connected to ISP
ip address dhcp
ip nat outside
ip inspect web in
........
ip nat inside source list 1 interface FastEthernet0/0 overload
access-list 2 permit 172.16.0.0 0.0.0.255

 

[unclerico]

you don't have it configured to even use websense right now. when implemented properly you'd establish filters and assign clients to the filters within the websense application itself.

ip urlfilter server vendor websense <ip-address>
[port <port-number>] [timeout <seconds>]
[retransmit <number>]

ip urlfilter urlf-server-log

ip inspect name <inspection–name> http urlfilter
interface <type> <slot/port>
ip inspect <inspection-name> {in | out}

Examples of these commands are:
ip inspect name fw_url http urlfilter
interface FastEthernet 0/0
ip inspect fw_url in

ip urlfilter allowmode {on/off}

the more i re-read your post it seems like you don't actually have a websense installation within your environment

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[23009]

Hi, unclerico
Thanks.

I am new to cisco, I did not insstall websense. Could you give me the detail configuration to finish my above requirment, if you use "urlfilter".

 

[unclerico]

take a look at OpenDNS (

http://www.opendns.com)

it is a free service that is easy to integrate into your existing infrastructure. you'll remove all urlfilter statements and the firewall (ip inspect) statements from your configuration. from there the configuration depends on what DNS solution you use internally as you'll just point the DNS forwarders to the OpenDNS DNS servers.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[23009]

Thank U, unclerico
Maybe You misunderstand my purpose, What I want is 172.17.5.X can access all internet websites, 172.17.6.x Only can access one website:

http://www.cisco.com

(example), How can I configure this function. OpenDNS just you to filter bad websites.

 

[North323]

you have to configure websense to do that based on networks. the asa and the commands above only point to websense when an external request is made...websense handles that request

 

[23009]

Hi North323/uncler
could U give me some samples?