We have Websense running in the environment. The core switches (CAT6500) use a SPAN port to traverse Internet destined traffic to Websense and that works just fine. However, we have Remote Access VPN users that terminate on an ASA5520 and their traffic is not going through Websense as the SPAN'ing is done on the INSIDE interface of the firewall and VPN is on the OUTSIDE of the firewall.
An idea that was proposed was:
create a route map that catches traffic that :
- remote access vpn traffic (based on the ip pool) and that
- coming from the outside interface
and make the default route for this traffic the internal network. This way users who come as remote access vpn will come from the INSIDE when hitting the Internet.
Will that work?