Solved: Re: Firepower filter VPN traffic

sprocket10 · ‎03-04-2019

Probably a simple setting that im missing. All LAN, DMZ etc outgoing traffic is inspected by the FirePower interface on our 5516 and is working great. However, I have all client remote access VPN traffic tunnelling through the ASA, no split tunnelling, but the traffic isnt being inspected by the FirePower.

Any pointers?

sprocket10 · ‎03-04-2019

Fixed. I needed to create a seperate network object in firepower.

View solution in original post

Marvin Rhoads · ‎03-04-2019

When you say "tunneling through the ASA" do you mean it is terminating on a different VPN headend or on the ASA itself?

sprocket10 · ‎03-04-2019

The remote device (ie laptop) is sending all traffic through the Remote Access VPN to the ASA. So if the remote user browses the internet the traffic is going across the VPN. This traffic is not being inspected by the FirePower, which I want it to be.

sprocket10 · ‎03-04-2019

Fixed. I needed to create a seperate network object in firepower.

Marvin Rhoads · ‎03-04-2019

OK, understood.

Make sure your access control policy is setup to inspect the "outside-outside" traffic that would be presented in this scenario.

There are examples of how to do this in the following article:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/211294-Configure-ASA-with-FirePOWER-Services-Ac.html