Hi Acomiskey,

Back at work today to start on this. I don't seem to have a spare router to put in VLAN 2 as you suggested, which is the VLAN for the Inside interface of the ASA. I only have a Cisco 837 and an old Cisco Pix 515.

I have been allowed to buy a Cisco 1841, do you think this would be ok? If it doesn't work we have another project for it.

it only has 2 FE ports, but I guess I will only be using 1 of those ports to plug into the VALN2?

Have you tried writing an ACL on the VLAN2 to limit source VPN subnets to the destination HQ servers, on the controlling Layer 3 routing device behind your ASA?

Will I have yet.

As you may of read the Internet doesn't come "inside" and I somehow need to push the traffic inside then backout again so it's see by VLAN2.

If been looking into the Tunnel Default Gateway option:

"route inside 0.0.0.0 0.0.0.0 tunneled"

I have been told the gateway IP can only be an IP that is in the same subnet as the inside interface of the ASA, so VLAN 2.

I have ordered a Cisco 1841 to test with, but am not sure what to add to this router when I get it. I guess I could just route all the traffic to the inside ASA or our Core nortel LAN switch?

I'm open to any suggestions

Is it just for http/https traffic - or all internet traffic.

1) One idea could be to force the remote end's to use proxy settings in their internet browsers? those proxy settings would point to your websense server

2) Another idea would be to have GRE tunnels from the remote ends into the core router, the IPSEC sa would only be the two endpoint IP addresses on the tunnels (nice and easy) then you point your default route at the remote ends into the tunnels i.e.

ip route 0.0.0.0 0.0.0.0 <>

Once the traffic comes out of the tunnel it is subject to the core routers acl's and the websense server.

I do option 2 in my network, it works well for me.

I went for option 2:

But got this syslog error:

Error ASA5520-1 : Deny tcp src inside:172.19.15.11/1992 dst outside:212.58.253.75/80 by access-group "inside_access_in" [0x0, 0x0]

I then added a rule on the inside interface to allow 172.19.15.0/24 to any on tcp/http and udp/domain but then got nothing in the syslog server and no webpage displayed, is it a NAT issue now or a route back?

I added: ip route 0.0.0.0 0.0.0.0 <>

tunnel point being the gateway ip of inside core switch then is in VLAN2 - correct?

You created the GRE tunnels?

If you are using a proxy server - you should never see a packet with the source of the remote network, in the ASA if the traffic is routing over the GRE - thru trhe proxy server. You should only see http/tcp traffic with a destination of the internet with the source address of the proxy server?

I am presuming you have a default route in your core layer 3 devices pointing to your proxy server? and a default route in your proxy server pointing to your ASA?

Hi Andrew I think I have missed a lot here.

I just have a simple IPsec site-to-site VPN from a Cisco 877 to my Cisco ASA. I don't have a proxy server, just my SurfControl Webfilter server in VLAN 2. In VLAN to there is also the link to the Core LAN switches, I added the tunneled route and pointed it to that switch.

Then I noticed the deny rules appear on the ASA when I tried to get to www.bbc.co.uk from the remote network, which is the first time I have ever seen traffic appear on the ASA from this site-to-site so at first I was pleased.

Just need to know if it's going out to the website and if it's not getting back to the PC, pathping and traceroute are being unhelpful to.

OK - well I've never used the tunneld default route before, and to be honest in your explained setup I am surpised anything works!!!!

moving on - can you post the details of:-

"inside_access_in"

Please?

Sure, liet me go off and get that, in the mean time I did find this in the logs, does this show at least the response is going out to the internet?

ASA5520-1 : Built outbound TCP connection 534450970 for outside:212.58.224.131/80 (212.58.224.131/80) to inside:172.19.15.11/2273 (172.19.15.11/2273)

ASA5520-1 : Built inbound TCP connection 534450969 for outside:172.19.15.11/2273 (172.19.15.11/2273) to inside:212.58.224.131/80 (212.58.224.131/80)

I have this rule:

access-list inside_access_in extended permit ip 172.19.15.0 255.255.255.0 any

To be honest - I cannot see the tunnled IP route working for you, reading the below:-

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd8060b477.html

You are trying to do the whole thing in one device, can't see how that is going to work.

For instance - you posted "ASA5520-1 : Built outbound TCP connection 534450970 for outside:212.58.224.131/80 (212.58.224.131/80) to inside:172.19.15.11/2273 (172.19.15.11/2273)

ASA5520-1 : Built inbound TCP connection 534450969 for outside:172.19.15.11/2273 (172.19.15.11/2273) to inside:212.58.224.131/80 (212.58.224.131/80)"

Can't see why the ASA would actually route that return traffic back to the remote site and encrypt it at the same time - without nating it, not to mention by the looks of it, the ASA is confused on what to actually do with the packet.

Sorry - I am not convinced this will work. I will stand corrected, but basic routing logic defies this.

Unless this router I get can help? If I add it to that VLAN 2 and force any traffic back to the inside of the ASA to take care of as it has all the routes on there? Possibe?

The 1841 has 2 FE's I guess I would only need 1 of the ports and give it and IP that the VLAN 2 subnet is setup with, then that way I can eliminate any routing issue in the LAN where it might get lost.

Adding the extra rotuer - that is possible, but in my opionion it starts to get very complicated, to say the least.

Also in the url I posted was a policy based routing example which could help with this, no need for an extra router, as you have your core device. There is also GRE, as I said before - which would work, as I have it working in my environment.

HTH.

Sorry for the basic question what is this GRe VPN?

Currently I have 40 VPN's going through my Cisco Concentrator, but am trying to plan the move over tothe ASA's.

in an idea world what woudl be the simplist solution? What is this URL filtering option with Websense?

We use Surfcontrol which has just been bought by Websense and will be upgrading at some point?