Websense gets me crazy (integration with PIX)

Discussion in 'Cisco' started by Alfonso Deo, Apr 28, 2004.

  1. Alfonso Deo

    Alfonso Deo Guest

    Hi all,

    Websense gets me crazy, here is a brief background...

    In our setup we have the following

    Websense Policy server --- Firewall (NAT) --- Internet ---
    Gateway --- Websense Manager (
    (admin user)

    When the admin user tries to connect to the policy server, he connects
    to the IP The traffic from the Websense manager goes
    out and over the internet to the Firewall (which is performing NAT).
    The address is then translated to the actual
    address of the Websense policy server. This part all works ok. We
    can see that communication works when we do a tcpdump.

    When the Websense policy server responds, it replies with the
    IP. It hits the firewall which then does the NAT to
    and then reaches the admin user. This part works ok, as far as
    internet traffic/communication goes. Again, when we do the tcpdumps,
    we see this traffic communicate.

    Now this next part is where the problem lies.

    Now, when the Websense policy server responds, it is sending a
    response back to the admin user, but what the payload/data of this
    response states is, "please connect to the policy server on IP". When the Admin user/Websense Manager receives this
    response, the GUI will then sent a second communication attempt to where it is being told is the policy server is.

    Now, when the Websense manager now goes and tries to attempt a
    connection to, it cannot communicate with the end device,
    since the IP is not a routable IP and it cannot establish a
    session with this. I cannot verify this for sure since I do not have
    a the ability to tcpdump my workstation's traffic, but I'm trying to
    come up with a way that I can try to put another device outside the
    firewall that is doing the NAT so that i can try to see what is
    actually going on.

    Websense's solution to this problem is to have the admin user's
    gateway perform reverse nat of the IP.

    Basically when the admin user tries to communicate with the
    IP, that traffic goes to the user's gateway, where we need to perform
    reverse NAT (gateway NATs any outbound packet with a destination IP of to However, in order for us to do this, we
    would have to make a change on our Gateway in front of the admin user.
    This is no a valid solution, since we can't perform the NAT of this
    IP on our end since it may cause problems with our internal network.
    In addition, that means anytime there is a Websense device, we would
    have to add a NAT on our corporate firewalls so that we could reach
    the device.

    A better solution is if there is a way that we can tell the Websense
    policy server not to send its real IP in the data packet, but instead
    send its NAT IP. I'm not sure how we can actually do this at this

    So, can anybody helps me? The websense server gets his NAT on a PIX

    What would you do? How? I can't modify anything on the corporate
    firewall because of our network policies

    Many thanks,

    Alfonso Deo, Apr 28, 2004
    1. Advertisements

  2. Hi,

    Correct me if i'm wrong: you're trying to administer a websence policy
    server from the internet and run into nat problems when the policy server
    asks you to connect to a special ip/port.

    If this is the case; I would ask myself if I really would like this to
    happen in the first place (security minded). A better solution would be to
    setup the pix to accept vpn sessions from the internet and connect to the
    policy server via the vpn. This would elliminate nat on the pix.


    Erik Tamminga, Apr 30, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.