Websense via PIX EasyVPN 1

[pilgrimbill]

I am using a Cisco PIX with a Websense server for internet filtering, and it is working fine.

However, I have a remote user with a PIX 501 who uses the 501 EasyVPN setup to VPN into our network. His remote PIX ought to be able to URL filter, at least WebSense says so, using the internal Websense server through the VPN but it won't work.

If I plug in his PIX inside the firewall it sees the Websense server and filters fine.

If I plug into the cable modem at home and VPN in, I can ping and telnet the WebSense server but filtering doesn't work. The Websense filter never gets the filter requests from the remote PIX.

Websense says it's not their problem and I don't have a Cisco support contract. Any suggestions?

 

[baddos]

Is your websense server on the same network as the primary pix?

 

[pilgrimbill]

We have a PIX 506 as the outside firewall, a hub inside that which is connected to our existing filter server (SurfControl, we are evaluating WebSense as a possible replacement), and inside that a switch which serves the single internal network. I unplug the SurfControl filter when I test WebSense. I don't know all the details of the configuration of the PIX and the switch.

I got the PIX 501 to work plugged inside the switch. I haven't tried it plugged into the hub outside the switch - that would take some work and the switch is not under my immediate control.

It could be a routing issue insude the PIX or switch but I am more suspicious of a VPN interaction. Is the PIX smart enough to route its internally generated URL filtering requests through the VPN?

 

[irbk]

pilgrimbill
Did you ever figure out your issue? I see this post was from back in January and no new post's since then. I'm having the exact same issue as you. Locally Websense is working fine but my external locations (doing a pix to pix vpn just like you) are not sending the filter requests to the websense server. Did you ever resolve the issue? If so how?

 

[OUCATS]

This is just a shot in the dark, but have you enabled the remote PIXs to point to the websense server?

WebSENSE URL Filtering
If your network has a WebSENSE server on any network interface, you can provide URL filtering through the PIX Firewall.

To configure the PIX Firewall to use WebSENSE:


--------------------------------------------------------------------------------

Step 1 Specify the interface and IP address of the WebSENSE server with the url-sever command as shown in this example:

url-server (dmz) host 192.168.1.42 timeout 10


In this example, the WebSENSE host is on the dmz interface at IP address 192.168.1.42. A timeout value of 10 seconds is specified as maximum allowed idle time before the PIX Firewall switches to the next WebSENSE server.

Step 2 Use the filter url http command to tell the PIX Firewall how to filter requests. For example, to filter requests for all hosts, use:

filter url http 0 0 0 0 allow


--------------------------------------------------------------------------------
Note The allow option in the filter command is crucial to the use of PIX Firewall URL filtering feature. If you use the allow option and the WebSENSE server goes offline, the PIX Firewall lets all Web requests continue without filtering. If the allow option is not specified, all port 80 Web requests are stopped until the server is back online.
--------------------------------------------------------------------------------

Step 3 If you want to disable URL filtering, use the no filter url command.

 

[irbk]

To answer your question "yes". From what I have read, and what I have had to do, it seems to be impossible to get websense to actually work through the VPN connection. All the situations of this that I have read about and what I had to do ended up having to NAT an IP address outside of the Network. This means that the websense requests are actually sent though the internet, not through the VPN. This makes me and my boss rather cranky because this shouldn't need to be this way.

 

[OUCATS]

We have a PIX to PIX VPN running right now and are thinking about implementing WebSense. But I need to be able to have all of the remote PIXs funnel URL requests through the WebSense server located in our main office. It really seems like a gapping hole in either their product or the PIX OS. Anyone have any ideas??

 

[irbk]

Oucats,
This is exctally the same set up that we have. 1 Central location running a PIX 506 and 6 "remote" locations that are running PIX 501's. The 501's connect to the central location via PIX to PIX VPN connections. Does it create a hole in you're firewall? Yes. Is it a "gaping" hole? Not so much. If you sit and think about it. Lets say for example that the External IP for my central PIX is 10.10.10.1 and the External IP for my "remote" PIX is 10.10.10.2-7. What you do at the central location is you allow access to 10.10.10.1 only from the 10.10.10.2-7 IP addresses. At the "remote" location (lets say 10.10.10.2) you allow access to 10.10.10.2 only from 10.10.10.1. So you can see that it's not what I would call a gaping hole but it is a hole none the less. The biggest problem with this that I can see (asside from the fact that there IS a hole when there shouldn't need to be) is that the websense request is then sent directly though the internet where there is a posibility of it being intercepted. I'm not sure what harm an interception could cause but I'm sure that it would be bad juju. If you would like, feel free to contact me directly regarding seting up the central and remote PIX.

 

[OUCATS]

Irbk,
OK, I've decided to bring in Websense and see what it can do. So far I have it configured for our main office and it's working great. But before our eval license expires, I need to get our remote PIXs configured to filter through websense also. I have a local PIX 506 and 10 remote PIX 501 that connect to our main office via a PIX-to-PIX VPN. The VPN is up and running and I'm able to connect to network resources. But the remote PIX is not filtering through websense. I have added these two lines to the remote PIX:

url-server (inside) vendor websense host 10.1.1.200 timeout 5 protocol TCP version 1
filter url http 0 0 0 0 allow

10.1.1.200 is the Websense server on the INSIDE of our network. Currently I do not have a DMZ so what I am thinking is that all internet requests will have to come through the VPN in order to get to the Websense server. Is this possible?

Thanks!

 

[irbk]

Well your about 1/2 way there. Your flaw is trying to get the websence requests to go through the PIX to PIX VPN connection. THAT is just not going to happen. What you have to do is poke a hole at the central location allowing any traffic from the remote locations IP to access your webserver. You also need to poke a hole in the remote location allowing any traffic from your websense server to the remote location. THEN you have to point your url-server command to the outside interface and use the external IP of your websence server.

 

[irbk]

Oucats, here is a little doc I wrote so that I remembered what I did. Hope it might be of some help for you.

-Central Location-
*all commands assumed run in config t mode*

1. (Optional Command however this config written assuming you created this name) Create a name for Websense.
"name <websense_server_internal_ip> WebSenSvr"

2. Create the static NAT of an external IP to your Websense server.
"static (inside,outside) <external_IP_to_Websense> WebSenSvr dns netmask 255.255.255.255 0 0"

3. Allow the access of the remote site to the external IP of your Websense server. (you must use this command for each remote location)
"access-list outside_access_in permit tcp host <remote_site_Pix_external_ip> host <external_IP_to_Websense>"

4. Configure the PIX to send the requests to Websense.
"url-server (inside) vendor websense host WebSenSvr timeout 5 protocol TCP version 1"

5. Configure the PIX to filter the requests.
"filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0"

6. Configure advanced URL filtering options. (These selections may need tweaking)
"url-block url-mempool 5120"
"url-block url-size 4"
"url-block block 128"

The Central site is now configured for both URL filtering at the central location and set up to accept requests from the remote location(s).


-Remote Location-
*all commands assumed run in config t mode*

(Optional Commands allowing Pings and other testing protocalls through)
"access-list outside_access_in permit icmp any any echo-reply"
"access-list outside_access_in permit icmp any any unreachable"
"access-list outside_access_in permit icmp any any time-exceeded"
"access-list outside_access_in permit icmp any any traceroute"

1. Allow the access from the central location inside the firewall
"access-list outside_access_in remark websense"
"access-list outside_access_in permit tcp host <external_IP_to_Websense> any"

2. Configure the PIX to send the requests to Websense.
"url-server (outside) vendor websense host <external_IP_to_Websense> timeout 5 protocol TCP version 1"

3. Configure the PIX to filter the requests.
"filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0"

6. Configure advanced URL filtering options. (These selections may need tweaking)
"url-block url-mempool 1500"
"url-block url-size 4"
"url-block block 128"

The Remote location is now configured to send the URL filtering requests to the websense server.

In order to check if the URL filtering is working properly, connect to the PIX with telnet.
In config mode type
"sho url-server stat"
Make sure that "URL Server Status" is "UP".
If the status is "UP" the URL filtering should be working properly.

 

[OUCATS]

Currently our Firewall is completely closed except for Internet requests. I think I'd rather setup a DMZ and put the WebSense server there to better protect our corporate LAN. But after I do that, I can use the information you provided to setup the outside firewall to allow our remote users to resolve to the Websense server.

Thanks for you help, this is what I needed to know.

 

[irbk]

I understand your concern. I don't know if you would need to though. After all, the only hole that you would be poking is to X address from X address. It's about as safe as a hole as you can have, but none the less, it still is a hole and a DMZ is the best way to go. Hope all works out for you.

 

[OUCATS]

Another issue...
My remote users are home users and therefore they have just standard cable/DSL high speed Internet access. And to save on cost (and because it's never been needed) all remote users are getting dynamic IPs from their ISP. Inorder to get the remote PIXs to work with Websense they will all need to be changed to static so that I can nail down a "remote_site_Pix_external_ip" for the main office firewall. Am I understanding this correctly?

Thanks!

 

[irbk]

Yes, if all your home users have a PIX, you will need them to have a static IP or you will have to change the config every time there IP changes. In theory, the IP should only change if they reboot the modem, so it shouldn't be all that often but trust me, get static IP's.

 

[OUCATS]

Update -- It's Working Remotely

Thanks to help from this post, Websense and Cisco, I have been able to get the remote PIXs to pass Internet requests through the VPN tunnel and was able to keep the remote location using a dynamic IP.

The necessary lines are posted below to assist others (and to be critiqued)....

Remote PIX Configuration:
access-list 102 permit ip host <central_pix_outside_ip> host <websense_server_ip>
access-list no-nat permit ip host <central_pix_outside_ip> host <websense_server_ip>
management-access inside
url-server (inside) vendor websense host <websense_server_ip> timeout 5 protocol TCP version 1
sysopt connection permit-ipsec
filter url http 0 0 0 0
url-block url-mempool 1280
url-block url-size 4
url-block block 128

Central PIX Configuration:
access-list 102 permit ip host <websense_server_ip> host <remote_pix_outside_ip>
access_list no-nat permit ip host <websense_server_ip> host <remote_pix_outside_ip>
url-server (inside) vendor websense host <websense_server_ip>
filter url http 0 0 0 0
sysopt connection permit-ipsec
url-block url-mempool 5120
url-block url-size 4

 

[irbk]

Hmmmm.... that looks sort of like the thing that websense sent me when I was trying to first set it up. All except for the "sysopt connection permit-ipsec" THAT looks new. Wonder if they finally figured it out. So you have it working going through the VPN now? Hmmmm.... I wonder if I want to dink around changing all my configurations. Sure, getting it to work through the VPN is good and more secure. However, if it's not broke.........

 

[OUCATS]

Most of the config additions came from websense, but I was still unable to get it working correctly. So I opened a TAC with Cisco and sent them my remote and central configs and a network diagram of how everything was setup (with inside and outside IPs) and they said to add the lines below to my remote PIX:

management-access inside
url-server (inside) vendor websense host <websense_server_ip> timeout 5 protocol TCP version 1
sysopt connection permit-ipsec

(I already had the sysopt connection permit-ipsec on my central PIX)

Once I added these lines (to the ones I received from Websense) it worked without any problems. Now, I looked over all of the added configs and tried to figure out what they were doing. Hopefully, everything is still as secure as it was before but with some of the configs it's pretty confusing figuring out exactly what they do.

 

[irbk]

How are you creating the VPN tunnel with a dynamic IP on the remote end?