Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1501
Views
0
Helpful
3
Replies

sysopt connection permit-vpn vs. default inspection service policies

Marcus Hunold
Level 1
Level 1

‎06-23-2016 03:44 AM

sysopt connection permit-vpn

vs.

default inspection service policies

.
Scenario:

ASA 9.5(2)-10 for AnyConnect SSL-VPN

sysopt connection permit-vpn*

Outside interface - deny ip any any

Inside interface - permit any less secure networks

All VPN users are permitted to access ip any except some users who get a VPN-Filter to their VPN session (controlled via ACS).

default inspection service policies active
.

Question:

Does it makes sense to disable "default inspection service policies"?

I cannot see really benefits for the feature in that scenario but it takes ressources.
.

Please only answers with explanation and don't poste generic links to configuration guides of the ASA - I have them already.
.

*The sysopt connection permit-vpn command allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic.

Labels:
0 Helpful
3 Replies 3

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎06-23-2016 05:38 AM

Hi Marcus,

Default inspection has no relation with sysopt connection permit-vpn command.

If you disable the inspection policies it should have no impact on the Anyconnect working but yes it may impact the other services depending on the traffic passing through the ASA.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Marcus Hunold
Level 1
Level 1
In response to Aditya Ganjoo

‎06-23-2016 07:44 AM

Hi Aditya, thank you for your answer.

Maybe my initial text is not detailed enough - the ASA is used for SSL-VPN traffic only.

There is no other traffic than the SSL-VPN sessions.

So does it make sense to disable default inspection service policies, maybe there is an official recommendation from Cisco? I am right with my view that the default inspection service policies have no benefits in my scenario?

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Marcus Hunold

‎06-23-2016 09:11 AM

Hi Marcus,

Yes you are correct.

In your case if only SSL VPN traffic is passing on the ASA you can go ahead and disable the default inspection policies.

But it also depends on what traffic is passing on the SSL VPN tunnel.

So lets say you are using FTP, ICMP or SIP traffic on the Anyconnect tunnel you would need the inspection to make sure the traffic is inspected.

So to makes things clear,ASA can inspect traffic prior encryption or post-decryption but ASA cannot inspect encrypted traffic.

This means that if the VPN tunnel/SSL VPN terminates on the ASA, ASA could inspect the traffic sent through the tunnel prior encryption and could inspect the traffic post-decryption when received.

If the tunnel does not terminate on the ASA but instead passes through the ASA, the ASA cannot inspect the traffic encapsulated inside.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents