How the “tunnel” option works – When an AnyConnect VPN client makes a successful VPN connection to the ASA VPN appliance, the ASA VPN appliance dynamically installs that VPN hosts static host route into its global routing table; similar to S 10.0.0.1 255.255.255.255 [1/0] via <public-IP-of-next-outbound-hop>, outside. When a packet is received in from –say Cisco AnyConnect VPN client host-1-, the ASA VPN appliance performs (packet decryption and other magic) as-well-as a route lookup for the original non-encrypted packet’s destination – usually but not mandatory an RFC 1918 address. If the specific destination IP address is found in the ASA VPN appliances global routing table, the packet is routed via that most specific route – as normal. If no specific route is found in the ASA VPN appliances global routing table, the Gateway of Last Resort or better known as Default Gateway of 0.0.0.0/0 is utilized to route the packet. If the 0/0 route does not exist, the packet is dropped. When the ASA VPN appliance is configured in this manner (and split-tunnel is disabled on the AnyConnect VPN client), remote uses should be able to surf the public Internet through the corporate ASA VPN appliance connection – albeit at a much slower pace since each packet has a good number of extra hops. If we wanted to police and filter this public Internet base traffic we could apply an ASA VPN appliance based fix with an optional tunneled command.
When the optional command route inside 0 0 <next-hop> tunneled is configured on the ASA VPN appliance, the ASA VPN appliance still performs a standard next-hop route lookup for all packets. It’s when there is no specific next hop route configured in the ASA VPN appliance, the ASA VPN appliance must consider the least specific route provided by the Gateway of Last Resort or drop the packet. When the optional tunneled route command has been installed on the ASA VPN appliance, it no longer considers the standard Default Gateway for VPN tunneled packets, instead it routes these packets based on the newly configured “tunneled” Default Gateway next-hop. This newly installed “tunneled” route will only be used for tunneled VPN packets where-as non-tunneled packets still use the standard Default Gateway as-well-as other more specific non-tunneled routes. Now when host-1 tries to visit any public Internet based site, the ASA VPN appliance (that does not support the full Internet routing table ) will not find the requested public Internet site IP address in the routing table and thus will be forced to route the packet to the configured tunneled next-hop address.
Our plan is to configure the route inside 0 0 <Border-FW-Inside-Interface-IP> tunneled on the ASA VPN appliance. When traffic from a VPN user with a destination to the public internet, the 0/0 tunnel command will redirect this traffic to the inside interface of the border firewall. The border firewall will utilize WCCP to redirect ports 80/443 traffic to the Webcache proxy/filter application to enforce policy. All other Internet bound traffic with destinations other than TCP ports 80/443 will bypass WCCP/Websense but will still be subjected to the ACL policies configured on the border firewalls. Problem solved.
Note: The tunnel command is all inclusive.
Note: The route inside 0 0 <Next-hop> tunneled command also support non-default routes as-well.
Thanks for your assistance, we really appreciate your help!
Frank
