Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Forwarding Cisco ASA VPN traffic to internal URL filter server?


I have currently got my Cisco VPN users and site to site VPNs going through my Cisco Concentrator. They get their web traffic monitored by an internal web filtering server (surfcontrol) as it has to pass through this then through the Cisco ASA firewall.

I have now set up Cisco VPN client connections to the Cisco ASA but the problem is when they access the internet now it instanty goes back out and the traffic is not "seen" by the internal web filter server.

I have tried to use the command:

"ip route inside tunneled"

The is the web filter server, but nothing happens.

Any idea how to get round this?


Re: Forwarding Cisco ASA VPN traffic to internal URL filter serv

PIX Firewall Software version 6.2 and higher enables you to statically configure multicast routes or use an Internet Group Management Protocol (IGMP) helper address to forward IGMP reports and leave announcements.

This is the multicast support available in this release:

Access list filters can be applied in order to multicast traffic to permit or deny specific protocols and ports.

Network Address Translation (NAT) and Port Address Translation (PAT) can be performed on the multicast packet source addresses only.

Multicast data packets with destination addresses in the address range are not forwarded. But, everything else in the address range is forwarded.

IGMP packets for address groups within the range are not forwarded because these addresses are reserved for protocol use.

NAT is not performed on IGMP packets. When IGMP forwarding is configured, the PIX Firewall forwards the IGMP packets (report and leave) with the IP address of the helper interface as the source IP address.