Solved: Does an ASA inspect traffic traversing a VPN? - Cisco Community

2132

Views

0

Helpful

2

Replies

Does an ASA inspect traffic traversing a VPN using the default inspect rules?

1 Accepted Solution

Accepted Solutions

Hi Justin,

The ASA can inspect traffic prior encryption or post decryption. The ASA cannot inspect encrypted traffic.

This means that if the VPN tunnel terminates on the ASA, the ASA could inspect the traffic sent through the tunnel prior encryption and could inspect the traffic post decryption when received.

If the tunnel does not terminate on the ASA but instead passes through the ASA, the ASA cannot inspect the traffic encapsulated inside.

Hope it helps.

Federico.

View solution in original post

2 Replies 2

Hi Justin,

The ASA can inspect traffic prior encryption or post decryption. The ASA cannot inspect encrypted traffic.

This means that if the VPN tunnel terminates on the ASA, the ASA could inspect the traffic sent through the tunnel prior encryption and could inspect the traffic post decryption when received.

If the tunnel does not terminate on the ASA but instead passes through the ASA, the ASA cannot inspect the traffic encapsulated inside.

Hope it helps.

Federico.

Thank you for the reply. I knew it couldn't inspect the encrypted traffic, just wasn't sure if it only inspected traffic truly passing through it from a private host to a public, or all traffic entering the interface even if it is going to be encrypted and sent to another private host.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community