Cisco ASA with client VPN connections NAT issues

I have a Cisco ASA 5510 firewall that has been acting only as a firewall up until now.  I'm trying to set it up so that clients can connect remotely with a software VPN client on their laptop.  I have it all working up through the client VPNs connecting back, authenticating, and they can access internal resources.  The problem is they can't get to the Internet.  I am tunneling everything through (no split tunnels).  I believe it to be a NAT issue because if I enter these commands then it works:

same-security-traffic permit intra-interface
nat (EXTERNAL) 1 10.10.10.0 255.255.255.0

Here I use 10.10.10.0 as the network I'm using for my VPN network.

So once I do this, everything works.. but...  I notice that the VPN clients then are not filtered by our content filtering device that the internal people are filtered by.  It's like when I have it setup with the commands above it knows how to go to the Internet without passing through the way that everything else does.  Our content filtering device is a passthrough device, not a proxy, and it just acts as a bridge between our internal network and the firewall.

I need to make sure the VPN clients that connect up go through the same content filtering that the internal people currently do.
jpletcher1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
What is the content filtering device?    How is it connected and setup?  

MotabaCommented:
If your filtering device is between ASA and internal network, then you need to route VPN clients to Internal network.
One solution is proxy located on Internal network. All VPN users hae to use this proxy, so traffic goes from VPN users to Internal and back to Internet through filtering device.
Second option is some kind of routing. I do not know if it is working, but you need set on ASA route rule like this "route any from VPN to any through (some router in Internal network)".
jpletcher1Author Commented:
The content filtering device is actually a SonicWall NSA device that is only used for content filtering.  It is plugged in transparently so that anything internally passing from the inside network to the firewall must traverse through it.  I assume the VPN clients are getting around this when I do the NAT entry I listed above.  

I'm not sure how to make sure the VPN traffic destined for the Internet passes through the inside network and through the filtering device as if it was an internal end client.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

jpletcher1Author Commented:
I should also say, we currently have remove VPN clients connecting in through an actual Cisco VPN concentrator, and that works fine since coming in on the concentrator they have to pass through the internal network to get out to the firewall.  My goal is to transfer the VPN role from the concentrator to the firewall.  Since now in my new method the firewall is the entry and exit point, I have this problem.
MotabaCommented:
I do a little Googling and found out that ASA can non support POLICY BASED ROUTING. PBR can do this strange routing VPN to Inside, but ASA do not support this.
So I can not imagine any other way, to do filtering way you want.
lrmooreCommented:
If your content filter was able to work in proxy mode at the same time as pass-through mode, you can for VPN users to use it as a proxy.

Otherwise, you're out of luck. Since the device is physically in line between interna users and the ASA, then there is no possible way for VPN end users to attach to the outside interface and have packets pass through the inline filter on the inside.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MikeKaneCommented:
In the ASA, the VPN clients that come into the network never have packets 'leave' the ASA.  The traffic remains within the appliance and is redirected out toward the internet.  At no time would the traffic have the opportunity to traverse the content filter.  

The only way to have this work would be, as indicated above, to have a proxy on the inside that VPN clients must use.    
jpletcher1Author Commented:
Shoot, that was what I was afraid of.  Thanks for the information guys.
jpletcher1Author Commented:
An update on this...  Cisco figured out how to force my traffic coming in from the remote site ASA destined for the Internet to still come into the local network first (not hit the central firewall and head straight for the Internet).  They put in a "tunnel" route that forces all traffic coming into the central ASA to be routed to our internal layer 3 switch, and from there it goes back out to the Internet.  I was glad that this worked, but now our content filter won't filter the traffic because it is originating from the external interface of the content filter and not the inside interface.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.