Thank you for the quick answer Jennifer.

My question is if I can block the internet and leave just "only open" the address (url) of the SSL VPN.

Once connected the user authenticated on my proxy and could access the internet.

I think would be a local policy on the user's computer to do that, just don't know if it is possible.

Regards.

Hello Rafael,

On the ASA you could restrict the traffic from the client to the internet if need it, allow the traffic from the VPN clients to the proxy and  then only allow outbound internet access from the proxy ip address,

I think that is what you are looking and yes it is possible

Regards

Julio

Hello Julio,

I can see how to do this by GPO of Operating System.

Block all internet traffic and release only: SSL VPN (IP External) and Proxy (IP Internal).

Do you would know if it would be possible to do with AnyConnect? (create one local policy)

Thank you.

Hello Rafael,

FIrst of all lets make sure we are on the right page,

What we are going to do is to send all the client traffic across the SSL tunnel ( even the internet traffic) then on the ASA side we will allow only outbound traffic from the proxy server ip address.

Is this what you are looking for?

Regards

Hi Julio,

I think we have some misunderstanding.

I don't have a "split tunnel" - by default all traffic of internet go to SSL Tunnel (when connected on SSL VPN).

My problem:

I can't let the user connect to Internet, only can connect if connected to VPN.

If the user is using "public internet" (hotspot, home) - I'll allow only connect to VPN.

I've seen other solutions manufacturer that does that.

Regards.

Hello Rafael,

Well in order to allow the user to go to the internet you will need to perform an U-turning and Nat it to the outside interface the thing is that as soon as you add that the traffic will be allowed by default. I would say you could configure an ACL for the outside interface on the outbound direction and restrict the traffic there,

Regards,

Julio

Hello Julio,

I think this forum (http://goo.gl/d8h6x) better explains my question.

I found something https://communities.cisco.com/thread/24669 (Boot VPN).

Regards.

Hi Rafael,

You are right. Cisco AnyConnect can't push policy if you are not connected to the SSL VPN to restrict internet access. This is something that Microsoft GPO does.

However, Cisco does have a Web Security product called ScanSafe that is on the cloud that can protect your web traffic. It does web scanning and URL blocking, and you can use the AnyConnect Web Security module to send the web traffic to the ScanSafe cloud proxy when the user are not in the office. If you are interested, pls kindly contact your local Cisco account representative.

Here is more information on ScanSafe for your reference:

http://www.cisco.com/en/US/products/ps11720/index.html

Thank you Jennifer and Julio.

I'll check the ScanSafe solution.

Regards.