07-23-2024 07:41 AM
Hi Fellas,
I have a question, regarding how the ASA with IPS module or Firepower with intrusion policy is able to check VPN traffic.
The traffic is coming from a L2L tunnel and does a U turn pointing to a VTI so the traffic never pass through the device.
So in the config it just hits the NAT and the static route and never is being checked by an ACL or policy.
Is there a way the IPS/Snort inspect that traffic?
The only thing I have in mind is disable the sysopt connection permit-vpn and set a outside ALC or ACP pointing to the outside zone but I am not sure.
I'll be waiting for your guidance.
Thanks in advance.
07-23-2024 07:52 AM - edited 07-23-2024 07:53 AM
Use prefilter fastpath it better than use ACL
MHM
07-23-2024 09:15 AM
@cmarin the solution you mentioned would work if you wanted to "force" inspection. Normally the traffic would not go through the DAQ and into Snort due to the sysopt parameter you mentioned.
07-23-2024 09:53 AM
So just let me confirm, if I disable the sysopt connection permit-vpn I will be force to set ACLs or ACPs to allow the VPN traffic so in that way I could enable the intrusion policy for those specific lines to be checked.
I will try to test it and let you know.
Thank you.
09-24-2024 04:25 AM
Correct. The sysopt conn permit is going to bypass any zone/interface for the traffic coming in on a tunnel. Now, you could put a vpn filter on the side of concern to control pre-encrypted/post-decrypted traffic, but in my testing I did not see that run across snort. If you disable the sysopt command, any traffic coming in, tunnel or not, is going to run across that zone/interface ACL. Then just specify the IPS policy on the ACE for the traffic you are wanting inspected. I would be cautious when disabling that option, as it is global. The FMC/FTDs sure make it seem as a per tunnel basis, but it is not. If other tunnels are terminating to this firewall and relying on the sysopt command, and no reverse rules to allow traffic in from the other peers are in place, traffic will begin to be dropped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide