Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
291
Views
0
Helpful
4
Replies

Does the IPS/Snort checks the VPN traffic

cmarin
Level 1
Level 1

‎07-23-2024 07:41 AM

Hi Fellas,

I have a question, regarding how the ASA with IPS module or Firepower with intrusion policy is able to check VPN traffic.

The traffic is coming from a L2L tunnel and does a U turn pointing to a VTI so the traffic never pass through the device.
So in the config it just hits the NAT and the static route and never is being checked by an ACL or policy.

Is there a way the IPS/Snort inspect that traffic?

The only thing I have in mind is disable the sysopt connection permit-vpn and set a outside ALC or ACP pointing to the outside zone but I am not sure.

I'll be waiting for your guidance.

Thanks in advance.

 

0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎07-23-2024 07:52 AM - edited ‎07-23-2024 07:53 AM

Use prefilter fastpath it better than use ACL

MHM

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-23-2024 09:15 AM

@cmarin the solution you mentioned would work if you wanted to "force" inspection. Normally the traffic would not go through the DAQ and into Snort due to the sysopt parameter you mentioned.

0 Helpful

cmarin
Level 1
Level 1
In response to Marvin Rhoads

‎07-23-2024 09:53 AM

So just let me confirm, if I disable the sysopt connection permit-vpn I will be force to set ACLs or ACPs to allow the VPN traffic so in that way I could enable the intrusion policy for those specific lines to be checked.
I will try to test it and let you know.

Thank you.

0 Helpful

rickbnet
Level 1
Level 1
In response to cmarin

‎09-24-2024 04:25 AM

Correct.  The sysopt conn permit is going to bypass any zone/interface for the traffic coming in on a tunnel.  Now, you could put a vpn filter on the side of concern to control pre-encrypted/post-decrypted traffic, but in my testing I did not see that run across snort.  If you disable the sysopt command, any traffic coming in, tunnel or not, is going to run across that zone/interface ACL.  Then just specify the IPS policy on the ACE for the traffic you are wanting inspected.  I would be cautious when disabling that option, as it is global.  The FMC/FTDs sure make it seem as a per tunnel basis, but it is not.  If other tunnels are terminating to this firewall and relying on the sysopt command, and no reverse rules to allow traffic in from the other peers are in place, traffic will begin to be dropped. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card