Websense gets me crazy (integration with PIX)

Discussion in 'Cisco' started by Alfonso Deo, Apr 28, 2004.

  1. Alfonso Deo

    Alfonso Deo Guest

    Hi all,

    Websense gets me crazy, here is a brief background...

    In our setup we have the following

    Websense Policy server --- Firewall (NAT) --- Internet ---
    Gateway --- Websense Manager
    10.1.1.2 10.1.1.1 (98.201.123.242)
    (admin user)

    When the admin user tries to connect to the policy server, he connects
    to the IP 98.201.123.242. The traffic from the Websense manager goes
    out and over the internet to the Firewall (which is performing NAT).
    The 98.201.123.242 address is then translated to the 10.1.1.2 actual
    address of the Websense policy server. This part all works ok. We
    can see that communication works when we do a tcpdump.

    When the Websense policy server responds, it replies with the 10.1.1.2
    IP. It hits the firewall which then does the NAT to 98.201.123.242
    and then reaches the admin user. This part works ok, as far as
    internet traffic/communication goes. Again, when we do the tcpdumps,
    we see this traffic communicate.

    Now this next part is where the problem lies.

    Now, when the Websense policy server responds, it is sending a
    response back to the admin user, but what the payload/data of this
    response states is, "please connect to the policy server on IP
    10.1.1.2". When the Admin user/Websense Manager receives this
    response, the GUI will then sent a second communication attempt to
    10.1.1.2 where it is being told is the policy server is.

    Now, when the Websense manager now goes and tries to attempt a
    connection to 10.1.1.2, it cannot communicate with the end device,
    since the 10.1.1.2 IP is not a routable IP and it cannot establish a
    session with this. I cannot verify this for sure since I do not have
    a the ability to tcpdump my workstation's traffic, but I'm trying to
    come up with a way that I can try to put another device outside the
    firewall that is doing the NAT so that i can try to see what is
    actually going on.

    Websense's solution to this problem is to have the admin user's
    gateway perform reverse nat of the 10.1.1.2 IP.

    Basically when the admin user tries to communicate with the 10.1.1.2
    IP, that traffic goes to the user's gateway, where we need to perform
    reverse NAT (gateway NATs any outbound packet with a destination IP of
    10.1.1.2 to 98.201.123.242). However, in order for us to do this, we
    would have to make a change on our Gateway in front of the admin user.
    This is no a valid solution, since we can't perform the NAT of this
    IP on our end since it may cause problems with our internal network.
    In addition, that means anytime there is a Websense device, we would
    have to add a NAT on our corporate firewalls so that we could reach
    the device.

    A better solution is if there is a way that we can tell the Websense
    policy server not to send its real IP in the data packet, but instead
    send its NAT IP. I'm not sure how we can actually do this at this
    time.

    So, can anybody helps me? The websense server gets his NAT on a PIX
    firewall.

    What would you do? How? I can't modify anything on the corporate
    firewall because of our network policies

    Many thanks,

    Alfonso
     
    Alfonso Deo, Apr 28, 2004
    #1
    1. Advertisements

  2. Hi,

    Correct me if i'm wrong: you're trying to administer a websence policy
    server from the internet and run into nat problems when the policy server
    asks you to connect to a special ip/port.

    If this is the case; I would ask myself if I really would like this to
    happen in the first place (security minded). A better solution would be to
    setup the pix to accept vpn sessions from the internet and connect to the
    policy server via the vpn. This would elliminate nat on the pix.

    Regards,

    Erik
     
    Erik Tamminga, Apr 30, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.