We'd like to get away from split-tunneling on our remote-access VPNs.
The problem I am having is once I turn off split-tunneling, internet bound traffic hairpins on the outside interface without going through our proxy servers. I would like that traffic (specifically 80/443) to be routed to our BlueCoat ProxySGs to ensure safer web-browsing.
The SGs are on the inside network behind our ASA which is the firewall and VPN concentrator. We are using WCCP between the ASA and SGs for transparent proxying. It looks something like this:
proxy --- inside-net --- ASA --- outside-net --- VPN/Internet
The configuration I used on the ASA after disabling split-tunneling was:
wccp interface outside 90 redirect in
The access-list for redirection would match the VPN subnet so I won't post that configuration.
One thing to note is if I explicitly set the proxy IP in my web browser, it works. But something about allowing the ASA and SGs to handle this transparently is not working. Any insight is greatly appreciated!
Best Answer
I'm not sure how this will work with the BlueCoat, but there is a 'tunneled' keyword that can be added to a static default route on the ASA that will be used for traffic exiting a VPN tunnel, instead of the normal default route that is responsible for the hairpin that you are seeing. There are some other restrictions that apply to using this configuration as noted here (ASA version 8.2). This presumably would require the proxy to be able to handle in some fashion all traffic exiting the VPN tunnel, not just 80/443, in that traffic that will not be proxied by the BlueCoat would essentially need to be 'routed' by it back to the ASA, where it would pass through using the standard default route out to the Internet.