09-26-2013 07:16 AM - edited 03-11-2019 07:44 PM
I have been looking for documentation for the ASA and how it handles stateful inspection of encrypted traffic. I find plenty of documentation for the ASA and stateful inspection of traffic, but none specifically referencing encrypted traffic. Can anyone supply me with documentation referencing this and/or a description of how it handles this type of traffic, and if it does this by default or if any special configuration is needed?
Thanks in advance.
Mike
Solved! Go to Solution.
09-26-2013 10:37 AM
Now I understand what you are talking about. You want to look into HTTPS-traffic for example. That is possible with the ASA-CX for outbound traffic, but not with the ASA alone.
I once implemented that for inbound traffic with a workaround:
Traffic flows as HTTPS to a reverse-proxy in DMZ1, this proxy decrypts the traffic and sends it unencrypted to the webserver in DMZ2. As that traffic was cleartext it was possible to inspect that with a L7 HTTP-Policy.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-26-2013 09:06 AM
I'm not aware of the place in the documentation where it is mentioned, but also traffic entering or leaving a VPN that is terminated on the ASA is statefully inspected the same way it is with "normal" traffic.
I assumed that you mean this by "encrypted traffic". But if you are talking about encrypted traffic that flows through the ASA then the answer is "it depends":
Pure IPSec traffic is not statefully inspected as AH/ESP can not be inspected. IPSec with NAT-Traversal is inspected as it is encapsulated in UDP or TCP. Same for SSL-VPNs which is again UDP and/or TCP traffic.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-26-2013 09:52 AM
Thanks for your response.
One example i was thinking of is when customers need to protect
public Internet servers on a DMZ. The firewall first allows encrypted traffic
through to the DMZ based on standard rules. The traffic is then
unencrypted within the DMZ and a second pass through a firewall can
now inspect the contents of the packet(s) to ensure conformance to
policies. Once passed, the traffic can then be re-encrypted and passed on
to its destination.
This is pulled from a Cisco document. I guess I am just not visualizing how this would work. Can you elaborate on this?
09-26-2013 10:37 AM
Now I understand what you are talking about. You want to look into HTTPS-traffic for example. That is possible with the ASA-CX for outbound traffic, but not with the ASA alone.
I once implemented that for inbound traffic with a workaround:
Traffic flows as HTTPS to a reverse-proxy in DMZ1, this proxy decrypts the traffic and sends it unencrypted to the webserver in DMZ2. As that traffic was cleartext it was possible to inspect that with a L7 HTTP-Policy.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-26-2013 01:00 PM
Thanks for the imput, that clears it up.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide