hi marvin,

i've checked some of our 5525-X and observed some have s2s ipsec VPNs and others got anyconnect VPN.

do i add a 'deny' lines to exclude VPN traffic from FP inspection?

or are they already denied/excluded since they're ISAKMP/UDP 500 traffic and not IP?

or is there a policy in FMC we can create to exclude the said VPN traffic?

access-list SFR_ACL extended permit ip any any

class-map SFR_CMAP
 match SFR_ACL

policy-map global_policy
 class SFR_CMAP
  sfr fail-open

The UDP traffic runs over IP so it would have to be called out separately. Here is what I've used to block IPsec VPN traffic where the decryption is downstream from the ASA:

access-list sfr_redirect extended deny udp any any eq 500 
access-list sfr_redirect extended deny udp any any eq 4500
access-list sfr_redirect extended deny esp any any 
access-list sfr_redirect extended permit ip any any

Where the IPsec is being terminated on the ASA, I believe the FirePOWER inspection occurs pre-decryption so that should work there as well. 

AnyConnect is generally SSL VPN (although it does support IKEv2 IPsec), so you might have a challenge exempting that without also exempting trffic that you wish to inspect. (Even without decrypting SSL there is some utiilty in inspecting the flows.)

EDIT - updated to include the udp/500 traffic.

hi marvin,

shouldn't ISAKMP UDP 500 be included on the deny ACE? i believe UDP 4500 is for NAT-T.

access-list sfr_redirect extended deny udp any any eq 500
access-list sfr_redirect extended deny udp any any eq 4500
access-list sfr_redirect extended deny esp any any
access-list sfr_redirect extended permit ip any any

for anyconnect since it's SSL encrypted, so it won't be identified as IP traffic? is my assumption correct? no need for an ACE?

Yes - sorry I missed that line in pulling a snippet from my template via cut and paste.

I updated my reply to correct that.

marvin,

thanks for the correction!

how about anyconnect VPN traffic? do i need to add an ACE using private IP LAN-to-LAN (S2S subnet)? or create an identity NAT for the source subnet used for S2S VPN?

i just don't want anyconnect VPN traffic to be inspected and just bypass FP module.

hi marvin,

i've got a site with ASA FP and use the FW as the anyconnect RA VPN GW.

do i do the same deny ACL above or deny the IP subnet based on the RA DHCP POOL subnet?

or it doesn't matter since it's SSL encrypted and permit ip any any won't be able to inspect it?

That's a good question - I'm not positive on the answer. It's not quite clear to me where along the packet processing path of the ASA decryption takes place.

Even when we do a packet-tracer of an SSL VPN flow to an internal resource, the SSL decrypt does not show up. There is a good one illustrated in Pete Long's blog here:

https://www.petenetlive.com/KB/Article/0001298

We do see the policy map is at Phase 4. There is a "VPN" at phase 8 but that indicates ipsec not ssl.

I will ask around to see if I can get a better answer.

hi marvin,

i do have the identity NAT for the RA pool subnet.

i have prepared this FP redirect ACL just to make sure FP module doesn't inspect or take any action on the anyconnect traffic.

access-list FP-REDIRECT extended deny ip 172.30.5.0 0.0.0.255 any
access-list FP-REDIRECT extended deny ip any 172.30.5.0 0.0.0.255
access-list FP-REDIRECT extended permit ip any any

or is above FP ACL a bit of an 'overkill'?

i'll read on the link you gave me and would appreciate if you could advise on this. otherwise i would go for a TAC route :)

If you use that ACL, remember that ASA access list masks are not inverse like router ACL subnet masks. So a /24 would be 255.255.255.0.

I'd check with TAC to be sure of the impact (or need).

sure. i'll make a quick check with TAC.

i typed the ACL on the fly and forgot it's normal mask on ASA, my bad :)