I think based on the question it specifically calls out proxy on port 8080. The filter url http is only going to redirect port 80 traffic to the websense for inspection. If we do not indicate to the ASA that http traffic could be going on 8080 it would not know to take the appropriate action.
So in this case I assume if normal http traffic flows on 8080 the ASA would redirect to websense but if it was forwarded by a proxy, probably looking for X-Forwarded-For" or something then do not allow. That is my guess. -Srikant On Sun, Sep 9, 2012 at 10:34 AM, Ben Shaw <[email protected]> wrote: > Hi All > > I am doing a lab which asks to complete the following: > > - Configure ASA1 for HTTP URL filtering for all users on the inside using > a WebSense server located at 10.0.0.100. > - In the case that the filtering server is down all HTTP requests should > be allowed. > - Ensure that users accessing websites via external proxies on port 8080 > are blocked by this policy. > > My answer was > > url-server (outside) vendor websense host 10.0.0.100 > filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow proxy-block > filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow proxy-block > > It seems I don't understand the usage of the proxy block command as the > solution gave the answer as > > url-server (outside) vendor websense host 10.0.0.100 > filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow > filter url 8080 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 proxy-block > > I was under the impression that using the proxy block option as I did > would allow normal HTTP connections for the traffic from any source > networks to any destination be checked against the external filtering > server but block this same traffic if it is using a proxy. It seems from > the solution however that the proxy block option is used by itself to > identify a source and destination network and a port (8080 in this case) to > apply a blanket deny on all matching traffic. > > It would seem easier t me to just allow HTTP traffic in an ACL and deny > all other traffic (inc 8080) in this case though I understand this is not > how the question is wanting it to be done. > > Considering I can't really test this too easily as I don't have a websense > server can anyone confirm, deny or clarify my observations? > > Thanks > Ben > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
