Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using Tunnel Default Gateway for VPN's via ASA 5520


We monitor internal users http traffic using a product called Surfcontrol Web Filter - SCWF. This SCWF server sits on a VLAN (Cisco 3750) which also has the inside interface of the ASA and we mirror the traffic seen on the inside port to the SCWF port. It all works well.

Now the problem I have. I have just set up the remote VPN feature on the ASA and everything works along with the Internet. However the internet for the VPN users don't come inside and via this SCFW server to be monitored, instead the traffic goes back out to the outside interface.

So I though I could use the tunnel default gateway " <ip gateway> tunneled"

Am I on the right lines using this because I have tried point it to several devices inside and they no longer get internet access.

I'm just trying to treat the VPN internet access like the internal users so they get monitored.

Thanks in advance for your help.

New Member

Re: Using Tunnel Default Gateway for VPN's via ASA 5520

This command will not fix your problem.

The traffic from the VPN users towards the internet does not cross the 3750, neither can you force it to.

You may need to install some sort of proxy service and configure your SurfControl to monitor at the proxy level. This option is potentially a better solution than using SurfControl in promiscuous mode as there is a potential some some packets to get through to the 'banned sites' before SurfControl is able to intercept the connection (busy network or slow SurfControl server.

Cisco Employee

Re: Using Tunnel Default Gateway for VPN's via ASA 5520

You can point the tunnel default gateway to SCWF ip address, if its on the same VLAN as the inside interface.

Alternatively, you can change the proxy settings on the remote user browser to point it to SCWF ip.