cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

820
Views
0
Helpful
4
Replies
Michael Couture
Beginner

Cisco ASA Stateuful inspection of encrypted traffic.

I have been looking for documentation for the ASA and how it handles stateful inspection of encrypted traffic. I find plenty of documentation for the ASA and stateful inspection of traffic, but none specifically referencing encrypted traffic. Can anyone supply me with documentation referencing this and/or a description of how it handles this type of traffic, and if it does this by default or if any special configuration is needed?

Thanks in advance.

Mike

1 ACCEPTED SOLUTION

Accepted Solutions

Now I understand what you are talking about. You want to look into HTTPS-traffic for example. That is possible with the ASA-CX for outbound traffic, but not with the ASA alone.

I once implemented that for inbound traffic with a workaround:

Traffic flows as HTTPS to a reverse-proxy in DMZ1, this proxy decrypts the traffic and sends it unencrypted to the webserver in DMZ2. As that traffic was cleartext it was possible to inspect that with a L7 HTTP-Policy.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

4 REPLIES 4
Karsten Iwen
VIP Mentor

I'm not aware of the place in the documentation where it is mentioned, but also traffic entering or leaving a VPN that is terminated on the ASA is statefully inspected the same way it is with "normal" traffic.

I assumed that you mean this by "encrypted traffic". But if you are talking about encrypted traffic that flows through the ASA then the answer is "it depends":

Pure IPSec traffic is not statefully inspected as AH/ESP can not be inspected. IPSec with NAT-Traversal is inspected as it is encapsulated in UDP or TCP. Same for SSL-VPNs which is again UDP and/or TCP traffic.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks for your response.

One example i was thinking of is when customers need to protect

public Internet servers on a DMZ. The firewall first allows encrypted traffic

through to the DMZ based on standard rules. The traffic is then

unencrypted within the DMZ and a second pass through a firewall can

now inspect the contents of the packet(s) to ensure conformance to

policies. Once passed, the traffic can then be re-encrypted and passed on

to its destination.

This is pulled from a Cisco document. I guess I am just not visualizing how this would work. Can you elaborate on this?

Now I understand what you are talking about. You want to look into HTTPS-traffic for example. That is possible with the ASA-CX for outbound traffic, but not with the ASA alone.

I once implemented that for inbound traffic with a workaround:

Traffic flows as HTTPS to a reverse-proxy in DMZ1, this proxy decrypts the traffic and sends it unencrypted to the webserver in DMZ2. As that traffic was cleartext it was possible to inspect that with a L7 HTTP-Policy.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks for the imput, that clears it up.

Create
Recognize Your Peers
Content for Community-Ad