Passing VPN traffic through a web filter

Recently, we installed a Barracuda web filter between our ASA and our core switch.  Everything works great except for VPN.  When connected by VPN, the traffic is not filtered.  Barracuda offered the solution below.  However, I am a novice with the Cisco IOS and have a few questions about the solution.  

Question
"How can I filter my VPN traffic with my Barracuda Web Filter when it is configured in inline mode?"

Answer:
If you have a firewall/VPN tunnel device when the Barracuda Web Filter is inline behind the firewall, the VPN traffic will not be filtered unless you perform the steps below.
•      Create a rule in your firewall blocking all port 80 traffic outbound.
•      Have that traffic re-directed to the Barracuda.
•      Then create a rule allowing all port 80 traffic coming from the Barracuda Web Filter specifically to be allowed.
•      Turn off the Pass Client IP addresses through WAN port option on the Basic > IP Configuration page, effectively enabling the Barracuda as the source IP for all outbound packets.
•      Lastly, on Basic > IP Configuration set Enable proxy on WAN to Yes.
This will allow all of the VPN traffic to be filtered while being able to keep the Barracuda Web Filter on the internal network.

I think the gist of the solution is this:
Modify the firewall's ACL to deny all outbound www traffic.  
Modify NAT so that all HTTP traffic goes through the web filter.
Modify the firewall's ACL to permit all  www traffic from the web filter's address.


I think I would need to make the changes below.  Am I on the right track?
access-list 101 extended deny tcp any host xxx.xxx.xxx.xxx eq www {xxx.xxx.xxx.xxx is our outside address the world sees}
static (inside,outside) tcp interface www xxx.xxx.xxx.xxx www netmask 255.255.255.255 {xxx.xxx.xxx.xxx is the address of the web filter}
access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq www {xxx.xxx.xxx.xxx is the address of the web filter}


Do I need to do anything with these other lines?
aaa authentication http console LOCAL
http server enable 444
http 192.168.xxx.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside


Do I need to do something for HTTPS?

On Google, I see references to WCCP.  Would this be better?  I don't know anything about WCCP.
tmaususerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Robert Sutton JrSenior Network ManagerCommented:
Everything looks right except for:
access-list 101 extended deny tcp any host xxx.xxx.xxx.xxx eq www {xxx.xxx.xxx.xxx is our outside address the world sees}

You actually want to DENY your internal lan segment access to that outside address. Not block the outside address from any tcp port 80 activity.
0
Robert Sutton JrSenior Network ManagerCommented:
This way inbound traffic will be allowed, and outbound will have to traverse thru the web filter.
0
tmaususerAuthor Commented:
I am looking through my reference books to get a better understanding.  However, I am confusing myself.  What would "DENY your internal lan segment access to that outside address" look like?
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

tmaususerAuthor Commented:
Is this better?

access-list 101 extended deny tcp 192.168.0.0 0.0.255.255 host xxx.xxx.xxx.xxx eq www {xxx.xxx.xxx.xxx is our outside address the world sees}
0
tmaususerAuthor Commented:
This is what I think I need to change to:

access-list 101 extended deny tcp 192.168.0.0 0.0.255.255 host xxx.xxx.xxx.xxx eq www {xxx.xxx.xxx.xxx is our outside address the world sees}
static (inside,outside) tcp interface www xxx.xxx.xxx.xxx www netmask 255.255.255.255 {xxx.xxx.xxx.xxx is the address of the web filter}
access-list 101 extended permit tcp host xxx.xxx.xxx.xxx 192.168.0.0 0.0.255.255 eq www {xxx.xxx.xxx.xxx is the address of the web filter}
0
tmaususerAuthor Commented:
Maybe I don't need 'static (inside,outside) tcp interface www xxx.xxx.xxx.xxx www netmask 255.255.255.255 '  I think that is something else.  Originally, that was a reference to our secondary DC.

I think all I need are the 2 access-list lines:

access-list 101 extended deny tcp 192.168.0.0 0.0.255.255 host xxx.xxx.xxx.xxx eq www {xxx.xxx.xxx.xxx is our outside address the world sees}

access-list 101 extended permit tcp host xxx.xxx.xxx.xxx 192.168.0.0 0.0.255.255 eq www {xxx.xxx.xxx.xxx is the address of the web filter}

Anyone know if I am mistaken?
0
tmaususerAuthor Commented:
no, I still haven't told the www traffic where to go.
0
tmaususerAuthor Commented:
What about this:

access-list 101 extended deny tcp 192.168.0.0 0.0.255.255 host 208.104.241.50 eq www {xxx.xxx.xxx.xxx is our outside address the world sees}
access-list 101 extended permit tcp 192.168.0.0 0.0.255.255 host 192.168.130.20 eq www {xxx.xxx.xxx.xxx is the address of the web filter}
access-list 101 extended permit tcp host 192.168.130.20 192.168.0.0 0.0.255.255 eq www {xxx.xxx.xxx.xxx is the address of the web filter}

Or is directing different than allowing?
in this case, ss directing a NAT function or a static route?

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tmaususerAuthor Commented:
Decided it would be safer to hire someone.
0
pkeizerCommented:
We are running into the same problem. The question is how many appliances do we need. Is it possible to pass the VPN traffice through a transparant bridge with one appliance / VPN terminator?
Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.