URL filtering for Remote access VPN users

Unanswered Question
Mar 31st, 2009

Hi All,

I have an ASA 5520 that is configured for remote access VPN and clients connect using IPSec or anyconnect SSL.

Most of the clients use non-split tunneling policy and the web traffic goes through the ASA. Our URL filtering server is on the inside network. I tried configuring URL filtering but did not work since the vpn clients get terminated on the outside (lower security interface) and the web traffic flows from outside to inside (higher security) and URL filtering will work only when the http traffic goes from higher security to lower security.

How can I enable URL filtering for remote access users?

Any ideas?

Meena

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Tue, 03/31/2009 - 10:43

Hi Meena,

I don't think url filter is restricted for inside users to outside, can you check if the u-turn, hairpin is enable and working fine? if so, can you please post your url config here? are you including the vpn clients pool for url inspection? Can you post your config?

mchockalingam Tue, 03/31/2009 - 11:08

Based on this link,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

I see the following text under the Bckground Information.

You can filter connection requests that originate from a more secure network to a less secure network.

The tunnel default gateway is our perimeter firewall which is on the inside subnet of the ASA. I have not tried hairpinning the traffic yet.

Meena

Ivan Martinon Tue, 03/31/2009 - 11:18

Mhhh... is this topology sending back the traffic to the ASA after it is forwarded to the tunnel default gateway or is it sending it to another GW?

mchockalingam Tue, 03/31/2009 - 11:32

The topology is that the ASA is sending it to another deafult gateway.

The ASA's outside interface is facing the internet and the inside is connected to the DMZ interface of our perimeter firewall.

The tunnel default gateway is our perimeter firewall. So, the web traffic comes from outside and goes to inside and goes to the DMZ interface of our perimeter firewall and out through the outside interface of the perimeter firewall.

I should be able to hairpin the web traffic on the outside of the ASA. DO you think this will force the URL filtering?

Meena

Ivan Martinon Tue, 03/31/2009 - 11:35

Well since this traffic is at the end sent to this permiter firewall you might want to think about filtering url in that one (unless you want to modify the whole traffic flow) I think that hairpinning will allow you to do url filter on the asa itself since it somehow covers the "outbound" url filter rule.

mchockalingam Tue, 03/31/2009 - 11:41

I do not want to modify the whole traffic flow. I looked into doing the URL filtering on the perimeter firewall but it did not work out due to some licensing issues or some other reasons that are beyond me.

I still want to be able to use the perimeter firewall as the tunnel gateway but for port 80 non-internal traffic, I just want to hair-pin the traffic. I think I should be able to do this with some ACL and route statements.

Meena

Ivan Martinon Tue, 03/31/2009 - 11:50

Unfortunately, if you define a tunnel default gateway, all traffic including http traffic will be sent to that firewall, you would need to remove the tunnel default gateway to achieve the hairpin feature.

mchockalingam Tue, 03/31/2009 - 11:57

I kinf of realized that after I posted my reply last time. As soon as the traffic gets decrpted it gets routed to the perimeter firewall and I cannot apply any ACL.

I wish there is an easier way.

Meena

Actions

This Discussion