Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2003
Views
17
Helpful
18
Replies

ISE IPEP/IPN Question

AJ Cruz
Level 3
Level 3

‎01-29-2013 06:57 AM - edited ‎03-10-2019 08:01 PM

Hello, if I have an ASA that does user VPN and is the main internet access firewall, can I still protect VPN (posture assessment) with an ISE IPN? I know the ASA can do posture assessment itself, but lets say I need to use the ISE IPN, does regular internet traffic route through the IPN as well?

Thanks!

1 person had this problem
Labels:
0 Helpful
18 Replies 18

MMstre
Level 3
Level 3
In response to dirkmelvin

‎10-07-2014 07:58 AM

if you could send configs, that would be awesome. From your explanation, it sounds kind of like what i had in mind.

My thoughts on traffic flow would go something like this...

- inbound traffic to an internal server would flow through an internal interface, going around the IPEP.

- outbound internet destined traffic would also go around the IPEP to the internal ASA interface.

- outbound VPN traffic (returning to the VPN client) would be routed to the IPEP.

- my confusion is in regards to traffic coming from the VPN client. If traffic to an internal server goes through the internal interface, how do we force the client to redirect to posture? Also, traffic then going to the server will also be asymmetrically routed back through the IPEP....

I supposed i just need to see a config to understand.  Look forward to your next post and thanks much!!!

0 Helpful

dirkmelvin
Level 1
Level 1
In response to derek.brown

‎10-07-2014 07:09 AM

Sorry, for some reason I didn't see this reply/question.

 

We did find a solution, and PBR was not it. That might have worked for other situations, and possibly ours if we had time to really map it out.

But what we ended up doing, was creating sub-interfaces on the ASA, for our INSIDE, ISE, and another internal VLAN.

So now all our normal firewall traffic flows across the INSIDE sub-interface and the VPN/ISE traffic flows across teh ISE sub-interface.

 

Would be happy to share our configs if you wish.

0 Helpful

MMstre
Level 3
Level 3
In response to dirkmelvin

‎10-06-2014 04:16 PM

Dirk,

 

did you ever get this resolved?

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni

‎01-01-2014 11:41 PM

This solution will not work if you plan on adding internet firewall services for the vpn users. I ran into the same issue and in my lab I run wccp so the inet traffic is proxied. Basically you run into issues with symmectric routing and the connection table being outnor sync if you route all traffic through the ipep and then inet traffic out the same firewall.


Sent from Cisco Technical Support Android App

Customers Also Viewed These Support Documents