Force VPN RA Users and Site-to-Site VPN Users to go Throuh Web Proxy

andrewdours · ‎12-27-2013

Forgive me if I didn't already see a posting on here. There was one similar, but I couldn't understand the answer. Here's what I have.

Remote Site ASA 5505 <-- VPN tunnel --> Main Site ASA 5525-X <-- Web Proxy (not currently inline, device is set up with WCCP for transparent... planning to put inline in the near future) --> Internal network.

Remote Access Cisco IPSEC client <-- VPN tunnel --> Main Site ASA 5525-X <-- Web Proxy (not currently inline, device is set up with WCCP for transparent... planning to put inline in the near future) --> Internal network.

Currently, VPN users that connect to the main site are not able to go to the internet while connected (no split tunnel allowed). I would like to give users the functionality of getting to the internet while connected to VPN, but I would rather force them through our web proxy. This way, they don't have to disconnect when access to the internet is needed and then reconnect when they need access to internal resources.

In the past, to get around all of this, I had another "inside" firewall that terminated VPN connections on its "outside" interface. I then set the default gateway on this firewall to go out the "inside" interface and land on the main site's core switch. At this point, all traffic flowed through the web proxy without any issues. Am I still limited to this?

Thanks all,

Andrew

Maykol Rojas · ‎12-29-2013

Is the WCCP Router the ASA? The only way to have this working is with Anyconnect.

Check this scenario and let me know if this is the correct one:

http://www.cisco.com/en/US/docs/security/wsa/wsa7.0/user_guide/AnyConnect_Secure_Mobility_SolutionGuide.pdf

Mike

andrewdours · ‎12-30-2013

Mike,

Good article. From the article, it appears that what I'm trying to do will work. Looks like the key is the "tunnel" route to the inside network. From there, traffic can be sent back out. For now, I'll be utilizing the scenario with WCCP on the ASA and a standard inside router. To answer your question, the ASA is the WCCP router for now. We're going to end up putting the web proxy inline to get added scanning functionality per the vendor. Before making that change, I'd like to get this working. I'll see if I can get it to work over the next few days and report back.

Thanks,

Andrew

Maykol Rojas · ‎12-30-2013

Sounds Good.

Let us know.

Mike

andrewdours · ‎08-21-2014

Update. I was able to get this to work with IPSEC and AnyConnect by adding the defualt tunnel route to our inside core switch. I also added some NAT exempt rules for the IPSEC/AnyConnect subnets. The site-to-site tunnel is not working quite as well. It's very strange... From the remote site, I'm able to browse the internet and access resources at the main site through the IPSEC site-to-site tunnel. However, I cannot initiate communication from the main site back to the remote site. A traceroute from a main site PC shows as follows:

Tracing route to 192.168.104.99 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms 10.65.0.10
2     9 ms    <1 ms    <1 ms 10.255.254.12
3     2 ms    <1 ms    <1 ms 10.255.98.110
4    <1 ms    <1 ms    <1 ms 10.255.98.110
5    <1 ms    <1 ms    <1 ms 10.255.98.110
6     1 ms     1 ms     1 ms 10.255.98.110

The tunnel route on the ASA points to 10.255.98.110.

S 0.0.0.0 0.0.0.0 [255/0] via 10.255.98.110, inside tunneled

10.255.254.12 and 10.255.98.110 are both IP addresses on the inside core switch. I may open a Cisco case on this one. I just don't get it.