Re: Promiscuous IDS for VPN traffic with sysopt-connection permi

sez sharp · ‎02-07-2011

On ASA with hardware IDS module installed

VPN tunnel traffic on a box that has default sysopt-connection permit-vpn bypasses ACL checking (on ingress and egress interfaces)

Traffic gets mirrored to a promiscuous IDS as it heads to the egress interface (i.e. post ACL/NAT etc...)

Will VPN tunnel traffic get mirrored to the promiscuous IDS as it heads to the applicable egress interface ? or not as the policy map defining interesting traffic for IDS inspection is ACL based and sysopt-connection permit-vpn bypasses?

I can't find any reference giving clear cut answer to this order of operations?

thanks,

Sez

PAUL GILBERT ARIAS · ‎02-07-2011

Please check this link:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ssm.html#wp1087140

You will get an explanation on what will happen to the VPN traffic.

sez sharp · ‎02-07-2011

Thanks Paul

The diagram implies that VPN traffic will get mirrored to the IDS but my search for clarity revolves around that bubble in the diagram 'firewall policy'

If 'firewall policy' includes interface ACLs and syopt-connection permit-vpn bypasses that

and if 'firewall policy' also includes ACLs which defines traffic for policy map for IDS traffic

Is there some confilct there?

or

If 'firewall policy' is downstream from everything syopt-connection permit-vpn bypasses

and 'firewall policy' includes ACLs which defines traffic for policy map for IDS traffic

Everything is ok and VPN traffic will definitely hit the IDS

Sez

PAUL GILBERT ARIAS · ‎02-07-2011

as far as I know the syopt-connection permit-vpn will only bypass the interface ACL nothing else. The traffic that will be forwarded to the SSM will only be the unencrypted traffic. Thats is what I understand.

sez sharp · ‎02-07-2011

Hi Paul,

Yep that was my understanding too - just looking to see if it's that stated/described in doco somewhere

cheers

Promiscuous IDS for VPN traffic with sysopt-connection permit-vpn