Using Tunnel Default Gateway for VPN's via ASA 5520
We monitor internal users http traffic using a product called Surfcontrol Web Filter - SCWF. This SCWF server sits on a VLAN (Cisco 3750) which also has the inside interface of the ASA and we mirror the traffic seen on the inside port to the SCWF port. It all works well.
Now the problem I have. I have just set up the remote VPN feature on the ASA and everything works along with the Internet. However the internet for the VPN users don't come inside and via this SCFW server to be monitored, instead the traffic goes back out to the outside interface.
So I though I could use the tunnel default gateway "0.0.0.0 0.0.0.0 <ip gateway> tunneled"
Am I on the right lines using this because I have tried point it to several devices inside and they no longer get internet access.
I'm just trying to treat the VPN internet access like the internal users so they get monitored.
Re: Using Tunnel Default Gateway for VPN's via ASA 5520
This command will not fix your problem.
The traffic from the VPN users towards the internet does not cross the 3750, neither can you force it to.
You may need to install some sort of proxy service and configure your SurfControl to monitor at the proxy level. This option is potentially a better solution than using SurfControl in promiscuous mode as there is a potential some some packets to get through to the 'banned sites' before SurfControl is able to intercept the connection (busy network or slow SurfControl server.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...