Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
660
Views
0
Helpful
0
Replies

VPN Site to Site, Hub and Spoke, FirePOWER Inspection

Hugo Caye
Level 1
Level 1

‎08-22-2016 02:20 PM - edited ‎03-12-2019 06:06 AM

Hi,

We have a scenario with three ASA: one 5515-X with FirePOWER in the HQ, two 5505 in each branch, and IPsec VPN tunnels from both 5505 to the 5515-X.

We are forwarding all the traffic from the branches to the VPN tunnels (vpn acl is from branch local lan to 0/0, dynamic crypto-map in hq).

Hair pinning in the 5515-X OUTSIDE interface with "same-security-traffic permit intra-interface".

From the branch, a Ping to any Internet IP address goes through the VPN tunnel, that is what is expected and that we want.

The traffic from the branches to the INSIDE interface is inspected by FirePOWER.

What we need is to inspect the traffic that flows in the VPN tunnels and goes to Internet in the 5515-X.

Remember that we have just one OUTSIDE interface in the 5515-X.

The tunnel traffic land in the 5515-X in the OUTSIDE interface, is decrypted and then is forwarded to Internet through the same OUTSIDE interface and should be inspected by FirePOWER.

Can the FirePOWER module on this 5515-X box inspect this kind of traffic?

Thanks in advance,

Hugo

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card