Anyconnect VPN with IronPort Proxy

Tarik Admani · ‎01-14-2013

Hello,

I have a customer that is using a failover set of ASAs as their VPN headend for remote access users along with their internet gateway. Currently we are deploying ISE and the customer would like to have their users hit their ironport which is on the inside interface as well.

I know that the transparent authentication will not work. However can we set the proxy settings on the ASA group policy so that their IE points to Ironport as their internet proxy server? Is there a config example of anyone can point me in the right directions on if I am missing anything with this approach.

Thanks,

Tarik Admani

Erik Kaiser · ‎01-16-2013

We can have transparent authentication working with VPN traffic by routing the VPN traffic into the inside segment of the ASA.

Command to redirect VPN traffic to inside segment:

# ip route inside 0.0.0.0 0.0.0.0 10.0.0.1 tunneled

Where 10.0.0.1 is the inside core switch

Once the traffic hits the inside core switch the traffic will take a U-turn, will head back to internet and will be caught by the WCCP running on the inside interface of the ASA.

In case of anyconnect policy, please reach out to anyconnect team/TAC.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

Tarik Admani · ‎01-16-2013

Eric,

Thanks for you response, I have seen in many instances that the Ironport can not access users that span across the ASA, in this case our vpn clients. Also I seem to be hitting a routing (asymmetric) if I do use the tunneled keyword for their routes, the return traffic may drop.

I will post this question in the vpn community for better clarification.

Thanks,

Tarik Admani