Is this done using a proxy

etijburg · ‎03-16-2016

We are using a hosted web filtering solution. We have a VPN tunnel (with a backup vpn to an alt site) that we send all HTTP and HTTPS traffic too. The way the system works is we send all internal traffic destined to the internet to them over a vpn. IKEv1 and 3des. This requires that we have a NAT statement that keeps all traffic for HTTP and HTTPs from the internal filtered subnet unNAT'd and sent over the VPN. I would like to have a way to disable this NAT rule if the VPN is down. I know I can rewrite the rule using Event Manager but I can't find a trigger to use that would be reliable. Anyone have any ideas? I have attached a sanitized copy of our lab config.

Philip D'Ath · ‎03-17-2016

Is this done using a proxy server configured on the machines, so all their traffic is going to a specific IP address over the VPN?

etijburg · ‎03-17-2016

No. This is an alternative to putting a proxy on a machine. It forces all computers that attach to the network to be redirected down the tunnel. This includes cell phones, personal devices that shouldn't be on etc. The user is blocked from surfing the internet till they login using their AD creds, using SSO and ADFS.

Philip D'Ath · ‎03-17-2016

Very interesting. Never seen it done like that. I don't see any way to make this work the way you want.

Perhaps solving the core issue - the VPN instability - may be the way to go.

etijburg · ‎03-17-2016

Issue there is always the unknown and our leadership is always wanting assurances that we will not go down even though they don't give me the budget to create the proper redundancy. Always have to get creative to do it.

Cisco ASA 9.2 disable NAT Rule when VPN's are down.