Link to home
Start Free TrialLog in
Avatar of jpletcher1
jpletcher1Flag for United States of America

asked on

Web filtering for Cisco ASA VPN traffic

I've been going around and around with this issue.  I just implemented an active/standby ASA environment.  This is our main firewall and I'd like to use it for our remote sites to VPN into as well (and get rid of our soon to be EOL concentrator).  I need the VPN traffic to be filtered for web access.  Here is what I have tried so far:

1.  In-line appliance.  I did a tunneled route so that all VPN traffic would come into our core switch, even if the traffic was Internet bound.  This didn't work because when the VPN traffic comes back from the Internet, it goes directly back to the remote site rather than back in through the appliance.  The appliance filters on the return traffic, so this didn't work.

2.  WCCP.  I thought this was the answer until the Cisco tech told me I'd need a WCCP server on every IP subnet, so I'd need 100 of them.  That won't work.

3.  Proxy.  I thought about this, but for our remote laptop users I worry that they won't be able to access the web when they are off the VPN.  

I've heard that Websense works the way I would need this to work, but it's quite expensive.  Does anyone  have any other ideas or corrections to the above statements?

ASKER CERTIFIED SOLUTION
Avatar of RPPreacher
RPPreacher
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jpletcher1

ASKER

Yes, we are trialing a Barracuda Web Filter and it has the option to use it as a proxy from the Internet with a service client that runs on each machine.  I was hoping for a less intrusive solution, but this seems as though the way it is unless you want to shell out for Websense.  Thanks guys.