Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1258
Views
0
Helpful
4
Replies

Cisco ASA Stateuful inspection of encrypted traffic.

Go to solution
Michael Couture
Level 1
Level 1

‎09-26-2013 07:16 AM - edited ‎03-11-2019 07:44 PM

I have been looking for documentation for the ASA and how it handles stateful inspection of encrypted traffic. I find plenty of documentation for the ASA and stateful inspection of traffic, but none specifically referencing encrypted traffic. Can anyone supply me with documentation referencing this and/or a description of how it handles this type of traffic, and if it does this by default or if any special configuration is needed?

Thanks in advance.

Mike

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Michael Couture

‎09-26-2013 10:37 AM

Now I understand what you are talking about. You want to look into HTTPS-traffic for example. That is possible with the ASA-CX for outbound traffic, but not with the ASA alone.

I once implemented that for inbound traffic with a workaround:

Traffic flows as HTTPS to a reverse-proxy in DMZ1, this proxy decrypts the traffic and sends it unencrypted to the webserver in DMZ2. As that traffic was cleartext it was possible to inspect that with a L7 HTTP-Policy.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎09-26-2013 09:06 AM

I'm not aware of the place in the documentation where it is mentioned, but also traffic entering or leaving a VPN that is terminated on the ASA is statefully inspected the same way it is with "normal" traffic.

I assumed that you mean this by "encrypted traffic". But if you are talking about encrypted traffic that flows through the ASA then the answer is "it depends":

Pure IPSec traffic is not statefully inspected as AH/ESP can not be inspected. IPSec with NAT-Traversal is inspected as it is encapsulated in UDP or TCP. Same for SSL-VPNs which is again UDP and/or TCP traffic.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Michael Couture
Level 1
Level 1
In response to Karsten Iwen

‎09-26-2013 09:52 AM

Thanks for your response.

One example i was thinking of is when customers need to protect

public Internet servers on a DMZ. The firewall first allows encrypted traffic

through to the DMZ based on standard rules. The traffic is then

unencrypted within the DMZ and a second pass through a firewall can

now inspect the contents of the packet(s) to ensure conformance to

policies. Once passed, the traffic can then be re-encrypted and passed on

to its destination.

This is pulled from a Cisco document. I guess I am just not visualizing how this would work. Can you elaborate on this?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Michael Couture

‎09-26-2013 10:37 AM

Now I understand what you are talking about. You want to look into HTTPS-traffic for example. That is possible with the ASA-CX for outbound traffic, but not with the ASA alone.

I once implemented that for inbound traffic with a workaround:

Traffic flows as HTTPS to a reverse-proxy in DMZ1, this proxy decrypts the traffic and sends it unencrypted to the webserver in DMZ2. As that traffic was cleartext it was possible to inspect that with a L7 HTTP-Policy.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Michael Couture
Level 1
Level 1
In response to Karsten Iwen

‎09-26-2013 01:00 PM

Thanks for the imput, that clears it up.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card