06-23-2016 03:44 AM
sysopt connection permit-vpn
vs.
default inspection service policies
.
Scenario:
ASA 9.5(2)-10 for AnyConnect SSL-VPN
sysopt connection permit-vpn*
Outside interface - deny ip any any
Inside interface - permit any less secure networks
All VPN users are permitted to access ip any except some users who get a VPN-Filter to their VPN session (controlled via ACS).
default inspection service policies active
.
Question:
Does it makes sense to disable "default inspection service policies"?
I cannot see really benefits for the feature in that scenario but it takes ressources.
.
Please only answers with explanation and don't poste generic links to configuration guides of the ASA - I have them already.
.
*The sysopt connection permit-vpn command allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic.
06-23-2016 05:38 AM
Hi Marcus,
Default inspection has no relation with
If you disable the inspection policies it should have no impact on the Anyconnect working but yes it may impact the other services depending on the traffic passing through the ASA.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-23-2016 07:44 AM
Hi Aditya, thank you for your answer.
Maybe my initial text is not detailed enough - the ASA is used for SSL-VPN traffic only.
There is no other traffic than the SSL-VPN sessions.
So does it make sense to disable default inspection service policies, maybe there is an official recommendation from Cisco? I am right with my view that the default inspection service policies have no benefits in my scenario?
06-23-2016 09:11 AM
Hi Marcus,
In your case if only SSL VPN traffic is passing on the ASA you can go ahead and disable the default inspection policies.
But it also depends on what traffic is passing on the SSL VPN tunnel.
So
So to makes things clear,ASA can inspect traffic prior encryption or post-decryption but ASA cannot inspect encrypted traffic.
This means that if the VPN tunnel/SSL VPN terminates on the ASA, ASA could inspect the traffic sent through the tunnel prior encryption and could inspect the traffic post-decryption when received.
If the tunnel does not terminate on the ASA but instead passes through the ASA, the ASA cannot inspect the traffic encapsulated inside.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide