We just installed a new Internet filter that uses a SPAN source port to see the traffic heading to/from the Internet. A problem arose because our remote access vpn users are bypassing the filter since their traffic never crosses the SPAN source port. I remember with concentrators we didn't route in and out of the concentrators, and prior to ASA, a PIX wouldn't let traffic in and then out of the same interface. It had to be sent to a router. I'm using an ASA now, and of course the same security perm intra command takes cares of that, but I'm trying to figure out a way to sort of revert and rely on a router to route only remote access vpn traffic. The path looks like
Internet -> ASA -> 4510 (SPAN source is link between ASA and 4510)
So I want to be able to send default traffic from a remote access client to the 4510, and then have that traffic turned around to the ASA and Internet. Possible?