Passing VPN traffic through a web filter

Recently, we installed a Barracuda web filter between our ASA and our core switch.  Everything works great except for VPN.  When connected by VPN, the traffic is not filtered.  Barracuda offered the solution below.  However, I am a novice with the Cisco IOS and have a few questions about the solution.  

Question
"How can I filter my VPN traffic with my Barracuda Web Filter when it is configured in inline mode?"

Answer:
If you have a firewall/VPN tunnel device when the Barracuda Web Filter is inline behind the firewall, the VPN traffic will not be filtered unless you perform the steps below.
•      Create a rule in your firewall blocking all port 80 traffic outbound.
•      Have that traffic re-directed to the Barracuda.
•      Then create a rule allowing all port 80 traffic coming from the Barracuda Web Filter specifically to be allowed.
•      Turn off the Pass Client IP addresses through WAN port option on the Basic > IP Configuration page, effectively enabling the Barracuda as the source IP for all outbound packets.
•      Lastly, on Basic > IP Configuration set Enable proxy on WAN to Yes.
This will allow all of the VPN traffic to be filtered while being able to keep the Barracuda Web Filter on the internal network.

I think the gist of the solution is this:
Modify the firewall's ACL to deny all outbound www traffic.  
Modify NAT so that all HTTP traffic goes through the web filter.
Modify the firewall's ACL to permit all  www traffic from the web filter's address.


I think I would need to make the changes below.  Am I on the right track?
access-list 101 extended deny tcp any host xxx.xxx.xxx.xxx eq www {xxx.xxx.xxx.xxx is our outside address the world sees}
static (inside,outside) tcp interface www xxx.xxx.xxx.xxx www netmask 255.255.255.255 {xxx.xxx.xxx.xxx is the address of the web filter}
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq www {xxx.xxx.xxx.xxx is the address of the web filter}


Do I need to do anything with these other lines?
aaa authentication http console LOCAL
http server enable 444
http 192.168.xxx.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside


Do I need to do something for HTTPS?

On Google, I see references to WCCP.  Would this be better?  I don't know anything about WCCP.
tmaususerAsked:
Who is Participating?
 
tmaususerAuthor Commented:
What about this:

access-list 101 extended deny tcp 192.168.0.0 0.0.255.255 host 208.104.241.50 eq www {xxx.xxx.xxx.xxx is our outside address the world sees}
access-list 101 extended permit tcp 192.168.0.0 0.0.255.255 host 192.168.130.20 eq www {xxx.xxx.xxx.xxx is the address of the web filter}
access-list 101 extended permit tcp host 192.168.130.20 192.168.0.0 0.0.255.255 eq www {xxx.xxx.xxx.xxx is the address of the web filter}

Or is directing different than allowing?
in this case, ss directing a NAT function or a static route?

0
 
Robert Sutton JrSenior Network ManagerCommented:
Everything looks right except for:
access-list 101 extended deny tcp any host xxx.xxx.xxx.xxx eq www {xxx.xxx.xxx.xxx is our outside address the world sees}

You actually want to DENY your internal lan segment access to that outside address. Not block the outside address from any tcp port 80 activity.
0
 
Robert Sutton JrSenior Network ManagerCommented:
This way inbound traffic will be allowed, and outbound will have to traverse thru the web filter.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
tmaususerAuthor Commented:
I am looking through my reference books to get a better understanding.  However, I am confusing myself.  What would "DENY your internal lan segment access to that outside address" look like?
0
 
tmaususerAuthor Commented:
Is this better?

access-list 101 extended deny tcp 192.168.0.0 0.0.255.255 host xxx.xxx.xxx.xxx eq www {xxx.xxx.xxx.xxx is our outside address the world sees}
0
 
tmaususerAuthor Commented:
This is what I think I need to change to:

access-list 101 extended deny tcp 192.168.0.0 0.0.255.255 host xxx.xxx.xxx.xxx eq www {xxx.xxx.xxx.xxx is our outside address the world sees}
static (inside,outside) tcp interface www xxx.xxx.xxx.xxx www netmask 255.255.255.255 {xxx.xxx.xxx.xxx is the address of the web filter}
access-list 101 extended permit tcp host xxx.xxx.xxx.xxx 192.168.0.0 0.0.255.255 eq www {xxx.xxx.xxx.xxx is the address of the web filter}
0
 
tmaususerAuthor Commented:
Maybe I don't need 'static (inside,outside) tcp interface www xxx.xxx.xxx.xxx www netmask 255.255.255.255 '  I think that is something else.  Originally, that was a reference to our secondary DC.

I think all I need are the 2 access-list lines:

access-list 101 extended deny tcp 192.168.0.0 0.0.255.255 host xxx.xxx.xxx.xxx eq www {xxx.xxx.xxx.xxx is our outside address the world sees}

access-list 101 extended permit tcp host xxx.xxx.xxx.xxx 192.168.0.0 0.0.255.255 eq www {xxx.xxx.xxx.xxx is the address of the web filter}

Anyone know if I am mistaken?
0
 
tmaususerAuthor Commented:
no, I still haven't told the www traffic where to go.
0
 
tmaususerAuthor Commented:
Decided it would be safer to hire someone.
0
 
pkeizerCommented:
We are running into the same problem. The question is how many appliances do we need. Is it possible to pass the VPN traffice through a transparant bridge with one appliance / VPN terminator?
Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.