Using Tunnel Default Gateway for VPN's via ASA 5520

Unanswered Question
Mar 3rd, 2008
User Badges:


We monitor internal users http traffic using a product called Surfcontrol Web Filter - SCWF. This SCWF server sits on a VLAN (Cisco 3750) which also has the inside interface of the ASA and we mirror the traffic seen on the inside port to the SCWF port. It all works well.

Now the problem I have. I have just set up the remote VPN feature on the ASA and everything works along with the Internet. However the internet for the VPN users don't come inside and via this SCFW server to be monitored, instead the traffic goes back out to the outside interface.

So I though I could use the tunnel default gateway " <ip gateway> tunneled"

Am I on the right lines using this because I have tried point it to several devices inside and they no longer get internet access.

I'm just trying to treat the VPN internet access like the internal users so they get monitored.

Thanks in advance for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
brettmilborrow Tue, 03/04/2008 - 07:59
User Badges:

This command will not fix your problem.

The traffic from the VPN users towards the internet does not cross the 3750, neither can you force it to.

You may need to install some sort of proxy service and configure your SurfControl to monitor at the proxy level. This option is potentially a better solution than using SurfControl in promiscuous mode as there is a potential some some packets to get through to the 'banned sites' before SurfControl is able to intercept the connection (busy network or slow SurfControl server.

kaachary Wed, 03/05/2008 - 13:56
User Badges:
  • Cisco Employee,

You can point the tunnel default gateway to SCWF ip address, if its on the same VLAN as the inside interface.

Alternatively, you can change the proxy settings on the remote user browser to point it to SCWF ip.


This Discussion