We are using asa 5520's as our firewalls and our salespeople connect in over ipsec with vpn client v5. with our previous checkpoint firewalls and clients we could add a default policy which would be active while the client was not connected which would limit which websites the salespeople could visit while not connected to the firewall.
with our new cisco setup we are able to restrict what websites they visit while they are connected but once they disconnect from the firewall they have unrestricted access to the web. Is there a way to limit this to a list of predefined business related sites?
At the moment they are blocked from accessing non business related websites while connected because we have only specified the sites they are allowed access in the acl that has been applied to the ip pool the vpn clients use. however once they disconnect they can acess any sites.
(with the checkpoint vpn-1 client a default policy was pushed down from the server with the vpn policy. once the client disconnected from the vpn the default policy kicked in and would block them from accessing sites not specified in the policy.)
so at the moment the asa blocks anyone with an address in the vpn ip pool from accessing any website not in its acl. is there a way to push a policy to the cisco vpn client statefull firewall to do the same even when the client is not connected to the firewall?
(apologies if im using the wrong terminology here or if i'm missing something basic but i'm new to cisco firewalls )
Another thought has occured to me, is it possible to block them from accessing all web sites when they are not connected by enforcing a proxy on the laptops? this might work, basically its more important that they be blocked from non business sites when they are not connected to the vpn than to allow them access to business sites when they are not on the vpn.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...