06-08-2010 11:50 AM - edited 03-10-2019 05:01 AM
Hi,
I would like to deploy an ASA as a VPN termination point and utilise the AIP SSM module to inspect and provide protection for traffic arriving inbound on one VPN and exiting on another within the same ASA. I'm assuming this is possible as the traffic is in an unencrypted state within the ASA and should be intercepted by the class map. Has anyone done this or can anyone confirm that it will work?
Many thanks,
Wil Bowes
Solved! Go to Solution.
06-08-2010 04:56 PM
If the ASA terminates the VPN then indeed it can also inspect internally. The decryption happens before the "module checks" for inbound traffic and the "module checks" come before the encryption for outbound traffic. So you can do it.
I hope it helps.
PK
06-08-2010 05:06 PM
Hi Wil,
I have done inspecting the VPN client traffic after decryption and prior to providing them with Internet access (u-turn on the same ASA).
So, its the same with the only difference that the outbound traffic will be encrypted again and sent through a different tunnel.
As pkampana said, you're good to go.
Federico.
06-08-2010 12:17 PM
Hi Wil,
I've not done it, but I don't see why it would not work since the traffic can be inspected after being decrypted and before being encrypted through the other tunnel.
I'll suggest applying the policy to the interface instead of globally, but I think either way should work.
Federico.
06-08-2010 04:56 PM
If the ASA terminates the VPN then indeed it can also inspect internally. The decryption happens before the "module checks" for inbound traffic and the "module checks" come before the encryption for outbound traffic. So you can do it.
I hope it helps.
PK
06-08-2010 05:06 PM
Hi Wil,
I have done inspecting the VPN client traffic after decryption and prior to providing them with Internet access (u-turn on the same ASA).
So, its the same with the only difference that the outbound traffic will be encrypted again and sent through a different tunnel.
As pkampana said, you're good to go.
Federico.
06-09-2010 07:05 AM
Thank you both for your help on this.
Wil
08-17-2010 03:57 PM
This is a great topic, cuz we're doing the same thing. So, my question is: on what interface do you apply the service policy: outside (where the encrypted traffic goes in) or inside (where the decrypted traffic goues out)? Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide