Solved: How to configure HTTPS inspection on ASA

AboudMokh · ‎01-14-2015

I need to know how to configure HTTPS inspection on ASA ?

All i can find is http inspection and it seems that I can't add 'inspect https' command ? so what i can do ?

Karsten Iwen · ‎01-14-2015

There is no HTTPS-inspection on the ASA itself. It can be done with the help of the ASA-CX-module or in the future with the FirePOWER module.

Until then, or if you don't want to spend extra money on the module-licenses, you can do the following if you are talking about inbound HTTPS to your own server:

Place a reverse-proxy (like nginx) in a DMZ on your ASA
Terminate the incoming HTTPS-session on the reverse-proxy and forward it as HTTP to a server on a different ASA-interface.
Both on the reverse-proxy and on the ASA you now can use HTTP-inspections.

If you have outbound HTTPS, then you could install a proxy-server that can inspect HTTPS-traffic. A Cisco solution for that would be the Web security Appliance WSA.

View solution in original post

Karsten Iwen · ‎01-14-2015

There is no HTTPS-inspection on the ASA itself. It can be done with the help of the ASA-CX-module or in the future with the FirePOWER module.

Until then, or if you don't want to spend extra money on the module-licenses, you can do the following if you are talking about inbound HTTPS to your own server:

Place a reverse-proxy (like nginx) in a DMZ on your ASA
Terminate the incoming HTTPS-session on the reverse-proxy and forward it as HTTP to a server on a different ASA-interface.
Both on the reverse-proxy and on the ASA you now can use HTTP-inspections.

If you have outbound HTTPS, then you could install a proxy-server that can inspect HTTPS-traffic. A Cisco solution for that would be the Web security Appliance WSA.