01-14-2013 06:57 PM
Hello,
I have a customer that is using a failover set of ASAs as their VPN headend for remote access users along with their internet gateway. Currently we are deploying ISE and the customer would like to have their users hit their ironport which is on the inside interface as well.
I know that the transparent authentication will not work. However can we set the proxy settings on the ASA group policy so that their IE points to Ironport as their internet proxy server? Is there a config example of anyone can point me in the right directions on if I am missing anything with this approach.
Thanks,
Tarik Admani
01-16-2013 12:08 PM
We can have transparent authentication working with VPN traffic by routing the VPN traffic into the inside segment of the ASA.
Command to redirect VPN traffic to inside segment:
# ip route inside 0.0.0.0 0.0.0.0 10.0.0.1 tunneled
Where 10.0.0.1 is the inside core switch
Once the traffic hits the inside core switch the traffic will take a U-turn, will head back to internet and will be caught by the WCCP running on the inside interface of the ASA.
In case of anyconnect policy, please reach out to anyconnect team/TAC.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator
01-16-2013 11:26 PM
Eric,
Thanks for you response, I have seen in many instances that the Ironport can not access users that span across the ASA, in this case our vpn clients. Also I seem to be hitting a routing (asymmetric) if I do use the tunneled keyword for their routes, the return traffic may drop.
I will post this question in the vpn community for better clarification.
Thanks,
Tarik Admani
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide