Filtering Web Traffic after it gets through an IPSec Tunnel

Hi experts,

I was looking for some recommendations, both hardware and software, for how I can filter web traffic after it has traversed an IPSec tunnel.  The configuration is like so:

-Mobile devices are sent to users which have their SIM cards bound to traffic that is only allowed to hit our network via IPSEC tunnel that exists between our data center and our mobile network provider (AT&T)
-once the traffic traverses the tunnel, due to some application dependencies, we then allow that traffic to not only get to our web servers, but also out to the public internet
-we have found that the mobile users are now consuming a high volume of data, which consequently is getting billed to our account, because they have discovered they can get to anywhere on the internet...not just our application

Is there a way to filter web traffic after it gets out of the tunnel?  We used to only allow the traffic to our web servers, but due to a dependency on some Google and Microsoft public APIs, setting an ACL that only allows traffic to their IPs and denies all others seems to be the resolution...but we can't be certain of which IPs blocks to allow.

Any suggestions are appreciated.
Somboun InthavongAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If your IPSec is such that all traffic from the mobile devices is sent through your system/network you need to see if a transparent proxy through which you will send all the mobile initiated external data and at which point you will define where and what they are allowed to access.
The issue is that your setup allows pass through traffic.
Look at there  you can locate the IP segments allocated to the various entities.

Note however, that many of the larger firms use application accelerators such as akami so that is the difficulty that a transparent proxy for the mobile devices..  

What is the end point on which the IPSec terminate? Is it on a VPN router/firewall or is it serviced by a server?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Somboun InthavongAuthor Commented:
Thank you Arnold for answering.  To answer your question, on each end of the IPSEC tunnel is a Cisco router.  I will look into setting up a transparent proxy as recommended.
Do you have Linux as an option?
Linux, squid wccp can provide you optimal setup with the router forwarding port 80 requests to the proxy when the wccp session is active if anything happens and wccp is not established, the user will not see errors.

Note however, that that will impact non severed connections. Secured connections are a different issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.