Pix 506e not passing to Websense Server

Discussion in 'Cisco' started by ronboose, Nov 20, 2008.

  1. ronboose

    ronboose

    Joined:
    Nov 19, 2008
    Messages:
    1
    My Pix is not forwarding to my Websense server, for URL filtering

    I worked with a tech from Websense, that assured me that the websense server is configured correctly.

    However I'm going to include some notes on it as well.
    The Websense server has two nics.
    NIC 1: Static private address: no gateway
    (Everyone on private network can ping this address)
    NIC 2: Static registered IP address on the same network as my router and pix, pointing to my router as the gateway.

    This is also my FTP Server, which I have no problem hitting from the outside.


    Below is my pix config, any help resolving why my pix is not filtering with my websense server would be greatly appreciated.

    Building configuration...
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ww1l5Q92YaRRQxfM encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname ami
    domain-name ami-lewiston.com
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol icmp error
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 172.16.0.0 Ligonier
    name 10.4.0.0 NTC2
    name 66.146.133.70 CMS-Support
    name 10.3.0.0 CassCity
    name 192.168.1.251 FTPServer
    object-group service CMS-Support tcp-udp
    port-object range 397 397
    object-group service jGo tcp
    port-object eq 449
    port-object eq telnet
    port-object range 8870 8876
    port-object eq 446
    port-object eq www
    access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 Ligonier 255.255.0.0
    access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 NTC2 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any 192.168.1.224 255.255.255.224
    access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 CassCity 255.255.0.0
    access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 Ligonier 255.255.0.0
    access-list outside_cryptomap_40 permit ip 192.168.1.0 255.255.255.0 NTC2 255.255.255.0
    access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.224 255.255.255.224
    access-list CMSClient_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
    access-list cms_access remark Rule to allow CMS support in
    access-list outside_access_in permit tcp host CMS-Support interface outside object-group CMS-Support
    access-list outside_access_in permit udp host CMS-Support interface outside object-group CMS-Support
    access-list outside_access_in permit tcp any interface outside object-group jGo
    access-list outside_cryptomap_60 permit ip 192.168.1.0 255.255.255.0 CassCity 255.255.0.0
    pager lines 24
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 12.2.81.170 255.255.255.224
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip audit signature 1000 disable
    ip local pool CMSPool 192.168.1.235-192.168.1.245
    pdm location Ligonier 255.255.0.0 outside
    pdm location 192.168.1.224 255.255.255.224 outside
    pdm location NTC2 255.255.255.0 outside
    pdm location 192.168.1.253 255.255.255.255 inside
    pdm location CMS-Support 255.255.255.255 outside
    pdm location CassCity 255.255.0.0 outside
    pdm location 12.2.81.170 255.255.255.255 inside
    pdm location FTPServer 255.255.255.255 inside
    pdm location 12.2.81.169 255.255.255.255 outside
    pdm location 12.2.81.169 255.255.255.255 inside
    pdm location FTPServer 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 397 192.168.1.253 397 netmask 255.255.255.255 0 0
    static (inside,outside) udp interface 397 192.168.1.253 397 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface www 192.168.1.253 www netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface telnet 192.168.1.253 telnet netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 446 192.168.1.253 446 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 449 192.168.1.253 449 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8870 192.168.1.253 8870 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8871 192.168.1.253 8871 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8872 192.168.1.253 8872 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8873 192.168.1.253 8873 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8874 192.168.1.253 8874 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8875 192.168.1.253 8875 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8876 192.168.1.253 8876 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 12.2.81.161 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    url-server (inside) vendor websense host 12.2.81.169 timeout 5 protocol TCP version 4
    filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    sysopt connection permit-l2tp
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 64.184.36.11
    crypto map outside_map 20 set transform-set ESP-DES-SHA
    crypto map outside_map 40 ipsec-isakmp
    crypto map outside_map 40 match address outside_cryptomap_40
    crypto map outside_map 40 set peer 12.150.59.70
    crypto map outside_map 40 set transform-set ESP-DES-SHA
    crypto map outside_map 60 ipsec-isakmp
    crypto map outside_map 60 match address outside_cryptomap_60
    crypto map outside_map 60 set peer 12.159.34.3
    crypto map outside_map 60 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 64.184.36.11 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address 12.150.59.70 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address 12.159.34.3 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 40 authentication pre-share
    isakmp policy 40 encryption 3des
    isakmp policy 40 hash md5
    isakmp policy 40 group 2
    isakmp policy 40 lifetime 86400
    vpngroup CMSClient address-pool CMSPool
    vpngroup CMSClient dns-server 192.168.1.250
    vpngroup CMSClient default-domain ami.local
    vpngroup CMSClient split-tunnel CMSClient_splitTunnelAcl
    vpngroup CMSClient split-dns 192.168.1.250 10.4.0.250
    vpngroup CMSClient pfs
    vpngroup CMSClient idle-time 1800
    vpngroup CMSClient password ********
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group CMSClient accept dialin pptp
    vpdn group CMSClient ppp authentication pap
    vpdn group CMSClient client configuration address local CMSPool
    vpdn group CMSClient client configuration dns 192.168.1.250
    vpdn group CMSClient pptp echo 60
    vpdn group CMSClient client authentication local
    vpdn username ron password *********
    vpdn enable outside
    vpdn enable inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    terminal width 80
    Cryptochecksum:097baccbd9bc3cdfaee8de214ce1144d
    : end
    [OK]
     
    ronboose, Nov 20, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alfonso Deo
    Replies:
    1
    Views:
    4,685
    Erik Tamminga
    Apr 30, 2004
  2. John McNamara

    Pix and WebSense

    John McNamara, Jul 21, 2004, in forum: Cisco
    Replies:
    2
    Views:
    1,159
    admin too
    Jul 21, 2004
  3. David Musashi
    Replies:
    2
    Views:
    4,036
    an admin too
    Oct 21, 2004
  4. moreno

    Pix & Websense enviroment...

    moreno, Mar 31, 2006, in forum: Cisco
    Replies:
    0
    Views:
    445
    moreno
    Mar 31, 2006
  5. lesniak81

    1801 + url-server (websense)

    lesniak81, Jul 22, 2008, in forum: Cisco
    Replies:
    2
    Views:
    562
    lesniak81
    Jul 23, 2008
Loading...

Share This Page