URL filtering for Remote access VPN users

Unanswered Question
Mar 31st, 2009
User Badges:

Hi All,

I have an ASA 5520 that is configured for remote access VPN and clients connect using IPSec or anyconnect SSL.

Most of the clients use non-split tunneling policy and the web traffic goes through the ASA. Our URL filtering server is on the inside network. I tried configuring URL filtering but did not work since the vpn clients get terminated on the outside (lower security interface) and the web traffic flows from outside to inside (higher security) and URL filtering will work only when the http traffic goes from higher security to lower security.

How can I enable URL filtering for remote access users?

Any ideas?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Tue, 03/31/2009 - 10:43
User Badges:
  • Cisco Employee,

Hi Meena,

I don't think url filter is restricted for inside users to outside, can you check if the u-turn, hairpin is enable and working fine? if so, can you please post your url config here? are you including the vpn clients pool for url inspection? Can you post your config?

mchockalingam Tue, 03/31/2009 - 11:08
User Badges:

Based on this link,


I see the following text under the Bckground Information.

You can filter connection requests that originate from a more secure network to a less secure network.

The tunnel default gateway is our perimeter firewall which is on the inside subnet of the ASA. I have not tried hairpinning the traffic yet.


Ivan Martinon Tue, 03/31/2009 - 11:18
User Badges:
  • Cisco Employee,

Mhhh... is this topology sending back the traffic to the ASA after it is forwarded to the tunnel default gateway or is it sending it to another GW?

mchockalingam Tue, 03/31/2009 - 11:32
User Badges:

The topology is that the ASA is sending it to another deafult gateway.

The ASA's outside interface is facing the internet and the inside is connected to the DMZ interface of our perimeter firewall.

The tunnel default gateway is our perimeter firewall. So, the web traffic comes from outside and goes to inside and goes to the DMZ interface of our perimeter firewall and out through the outside interface of the perimeter firewall.

I should be able to hairpin the web traffic on the outside of the ASA. DO you think this will force the URL filtering?


Ivan Martinon Tue, 03/31/2009 - 11:35
User Badges:
  • Cisco Employee,

Well since this traffic is at the end sent to this permiter firewall you might want to think about filtering url in that one (unless you want to modify the whole traffic flow) I think that hairpinning will allow you to do url filter on the asa itself since it somehow covers the "outbound" url filter rule.

mchockalingam Tue, 03/31/2009 - 11:41
User Badges:

I do not want to modify the whole traffic flow. I looked into doing the URL filtering on the perimeter firewall but it did not work out due to some licensing issues or some other reasons that are beyond me.

I still want to be able to use the perimeter firewall as the tunnel gateway but for port 80 non-internal traffic, I just want to hair-pin the traffic. I think I should be able to do this with some ACL and route statements.


Ivan Martinon Tue, 03/31/2009 - 11:50
User Badges:
  • Cisco Employee,

Unfortunately, if you define a tunnel default gateway, all traffic including http traffic will be sent to that firewall, you would need to remove the tunnel default gateway to achieve the hairpin feature.

mchockalingam Tue, 03/31/2009 - 11:57
User Badges:

I kinf of realized that after I posted my reply last time. As soon as the traffic gets decrpted it gets routed to the perimeter firewall and I cannot apply any ACL.

I wish there is an easier way.



This Discussion