Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
721
Views
0
Helpful
6
Replies

ASA-NG IPS Inspect Encrypted Traffic

Go to solution
bahmanjafari
Level 1
Level 1

‎11-22-2014 11:00 PM - edited ‎03-10-2019 06:17 AM

Hi

 
We Are Buy ASA 5525-X with IPS for We Network . We have a number of servers that provide Web services Applications .
 
We have a big problem at setup ASA This is  We can not use Inspect ASA and IPS features Because above 80% Traffic Through Encrypted . 
 
Thank you tell me how can I solve this problem.
 
I know that a solution use HTTPS Proxy in ASA but For some reason, this solution can not be implemented.
 
Thanks.
 
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-23-2014 08:58 AM

If you want to protect you own Webservers from attacks from the internet. you can't use the HTTPS-Decryption of the ASA-CX as the internet-clients don't have your CX-certificate.

The typical way to solve this is to place a reverse-proxy into a DMZ and do the SSL/TLS-handling there. The reverse-proxy sends plain HTTP through the ASA and the IPS can inspect that and protect your servers.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎11-23-2014 08:58 AM

If you want to protect you own Webservers from attacks from the internet. you can't use the HTTPS-Decryption of the ASA-CX as the internet-clients don't have your CX-certificate.

The typical way to solve this is to place a reverse-proxy into a DMZ and do the SSL/TLS-handling there. The reverse-proxy sends plain HTTP through the ASA and the IPS can inspect that and protect your servers.

0 Helpful

Go to solution
bahmanjafari
Level 1
Level 1
In response to Karsten Iwen

‎11-23-2014 09:07 PM

Thanks for your answer

I Can implement reverse proxy with ASA5525-X ?

If the answer is negative

Please help me in selecting the best practice for implement reverse proxy.

Do not use Cisco Agent Security for this Solutions ?

 

Best

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to bahmanjafari

‎11-23-2014 10:55 PM

The reverse proxy doesn't have anything to do with the ASA:

  • In a DMZ you have a host acting as a reverse proxy. I prefer a Linux-box with nginx for that. This host gets the HTTPS-requests from the internet and forwards them as HTTP to the real server (inside or in another DMZ)
  • On the outside interface you allow HTTPS to the reverse proxy and also add a coresponding NAT for that system
  • On the interface where the reverse-proxy is, you allow HTTP to the real web-server. In addition to that you make sure that your MPF sends this traffic to the IPS-module.
0 Helpful

Go to solution
bahmanjafari
Level 1
Level 1
In response to Karsten Iwen

‎11-26-2014 01:56 AM

Hi

Thanks for your Complete answer.

Excuse me, I have a question. Is it possible to use ASA to Act https proxy servers Similar CSC to the previous generation ?

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to bahmanjafari

‎11-26-2014 02:47 AM

No, the ASA can't do that. You need an external device for that.

0 Helpful

Go to solution
bahmanjafari
Level 1
Level 1
In response to Karsten Iwen

‎12-02-2014 11:04 PM

Thank you 

 

Which Device Can use For This Solutions ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card