I was looking for some recommendations, both hardware and software, for how I can filter web traffic after it has traversed an IPSec tunnel. The configuration is like so:
-Mobile devices are sent to users which have their SIM cards bound to traffic that is only allowed to hit our network via IPSEC tunnel that exists between our data center and our mobile network provider (AT&T)
-once the traffic traverses the tunnel, due to some application dependencies, we then allow that traffic to not only get to our web servers, but also out to the public internet
-we have found that the mobile users are now consuming a high volume of data, which consequently is getting billed to our account, because they have discovered they can get to anywhere on the internet...not just our application
Is there a way to filter web traffic after it gets out of the tunnel? We used to only allow the traffic to our web servers, but due to a dependency on some Google and Microsoft public APIs, setting an ACL that only allows traffic to their IPs and denies all others seems to be the resolution...but we can't be certain of which IPs blocks to allow.
Any suggestions are appreciated.