Solved: No, the ASA can't do that.

bahmanjafari · ‎11-22-2014

Hi

We Are Buy ASA 5525-X with IPS for We Network . We have a number of servers that provide Web services Applications .

We have a big problem at setup ASA This is We can not use Inspect ASA and IPS features Because above 80% Traffic Through Encrypted .

Thank you tell me how can I solve this problem.

I know that a solution use HTTPS Proxy in ASA but For some reason, this solution can not be implemented.

Thanks.

Karsten Iwen · ‎11-23-2014

If you want to protect you own Webservers from attacks from the internet. you can't use the HTTPS-Decryption of the ASA-CX as the internet-clients don't have your CX-certificate.

The typical way to solve this is to place a reverse-proxy into a DMZ and do the SSL/TLS-handling there. The reverse-proxy sends plain HTTP through the ASA and the IPS can inspect that and protect your servers.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

Karsten Iwen · ‎11-23-2014

If you want to protect you own Webservers from attacks from the internet. you can't use the HTTPS-Decryption of the ASA-CX as the internet-clients don't have your CX-certificate.

The typical way to solve this is to place a reverse-proxy into a DMZ and do the SSL/TLS-handling there. The reverse-proxy sends plain HTTP through the ASA and the IPS can inspect that and protect your servers.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

bahmanjafari · ‎11-23-2014

Thanks for your answer

I Can implement reverse proxy with ASA5525-X ?

If the answer is negative

Please help me in selecting the best practice for implement reverse proxy.

Do not use Cisco Agent Security for this Solutions ?

Best

Karsten Iwen · ‎11-23-2014

The reverse proxy doesn't have anything to do with the ASA:

In a DMZ you have a host acting as a reverse proxy. I prefer a Linux-box with nginx for that. This host gets the HTTPS-requests from the internet and forwards them as HTTP to the real server (inside or in another DMZ)
On the outside interface you allow HTTPS to the reverse proxy and also add a coresponding NAT for that system
On the interface where the reverse-proxy is, you allow HTTP to the real web-server. In addition to that you make sure that your MPF sends this traffic to the IPS-module.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

bahmanjafari · ‎11-26-2014

Hi

Thanks for your Complete answer.

Excuse me, I have a question. Is it possible to use ASA to Act https proxy servers Similar CSC to the previous generation ?

Karsten Iwen · ‎11-26-2014

No, the ASA can't do that. You need an external device for that.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

bahmanjafari · ‎12-02-2014

Thank you

Which Device Can use For This Solutions ?

ASA-NG IPS Inspect Encrypted Traffic