Web filtering when filter is on the LAN side of the VPN

We have a LAN/WAN environment that comes back to a central location and then goes out to the Internet via our Cisco ASA 5510 Firewall/VPN device.  Our VPN users connect to the ASA and then traffic goes either in to the LAN our out to the Internet.  We are using several vlans/subnet of 10.2.x.0/24.  The VPN users get 10.2.13.0/24.

We recently installed a Barracuda webfilter inline between my last router and firewall.  So all internal traffic goes thru it before it gets to the Internet and therefor is filtered per the Barracuda's settings.  VPN users however connect to the firewall directly so all their internet traffic is going straight out to the Internet without being filtered.

How can I create a route that would take all VPN users (10.2.13.0/24) and force them into the LAN before going out to the internet therefor forcing them thru the Barracuda.  I was thinking I could create a static route that would route all 10.2.13.0/24 traffic to the router just inside the Barracuda and then that router would send it on correctly.  I am however not sure the syntax or sure that will work.  The 2 issues I can see are 1. Once the traffic starts flowing, would the ASA learn that the VPN user was directly connected and not send the traffic in? (I dont' think so with a staic route) and 2. Would that cause a loop where the ASA sends the traffic in and the router sends it back to the ASA, which in turn sends in back to the router and it never gets to the Internet?
bruceleroyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
you can create a policy on the ASA to reroute port 80 requests to the baracuda appliance.
make sure to exempt the baracuda appliance from this restriction or you will create a loop.
https://supportforums.cisco.com/message/140565
0
bruceleroyAuthor Commented:
Since the barracuda does not retag the IP address of the traffic the ASA will never  know it's coming from the Barracuda.
We have decided to start using the Barracuda in Proxy Mode instead of inline.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.