cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1074
Views
0
Helpful
4
Replies

Cisco ASA Stateuful inspection of encrypted traffic.

Michael Couture
Level 1
Level 1

I have been looking for documentation for the ASA and how it handles stateful inspection of encrypted traffic. I find plenty of documentation for the ASA and stateful inspection of traffic, but none specifically referencing encrypted traffic. Can anyone supply me with documentation referencing this and/or a description of how it handles this type of traffic, and if it does this by default or if any special configuration is needed?

Thanks in advance.

Mike

1 Accepted Solution

Accepted Solutions

Now I understand what you are talking about. You want to look into HTTPS-traffic for example. That is possible with the ASA-CX for outbound traffic, but not with the ASA alone.

I once implemented that for inbound traffic with a workaround:

Traffic flows as HTTPS to a reverse-proxy in DMZ1, this proxy decrypts the traffic and sends it unencrypted to the webserver in DMZ2. As that traffic was cleartext it was possible to inspect that with a L7 HTTP-Policy.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

4 Replies 4

I'm not aware of the place in the documentation where it is mentioned, but also traffic entering or leaving a VPN that is terminated on the ASA is statefully inspected the same way it is with "normal" traffic.

I assumed that you mean this by "encrypted traffic". But if you are talking about encrypted traffic that flows through the ASA then the answer is "it depends":

Pure IPSec traffic is not statefully inspected as AH/ESP can not be inspected. IPSec with NAT-Traversal is inspected as it is encapsulated in UDP or TCP. Same for SSL-VPNs which is again UDP and/or TCP traffic.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks for your response.

One example i was thinking of is when customers need to protect

public Internet servers on a DMZ. The firewall first allows encrypted traffic

through to the DMZ based on standard rules. The traffic is then

unencrypted within the DMZ and a second pass through a firewall can

now inspect the contents of the packet(s) to ensure conformance to

policies. Once passed, the traffic can then be re-encrypted and passed on

to its destination.

This is pulled from a Cisco document. I guess I am just not visualizing how this would work. Can you elaborate on this?

Now I understand what you are talking about. You want to look into HTTPS-traffic for example. That is possible with the ASA-CX for outbound traffic, but not with the ASA alone.

I once implemented that for inbound traffic with a workaround:

Traffic flows as HTTPS to a reverse-proxy in DMZ1, this proxy decrypts the traffic and sends it unencrypted to the webserver in DMZ2. As that traffic was cleartext it was possible to inspect that with a L7 HTTP-Policy.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks for the imput, that clears it up.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: