Does the AIP module inspect RETURN packets to a request made from an inside host.
(Or does it just inspect packets that originate outside)?
As another scenario lets say you have a VPN tunnel setup on the firewall.An inside client is talking to a server through the VPN tunnel that goes through the outside interface.If you apply the policy to the inside interface.Then packets to the server will be checked against ACLs (NAT'd if necessary), then sent to the SSM for analysis. When it comes back from the SSM then it is encrypted and sent through the tunnel.
The encryption happens after analysis.
The packets from the server will be checked against ACLS, AND decrypted Before being sent to the SSM.
SO you see that Encryption is the only thing happening After SSM analysis.
If you applied the policy to the Outside interface there is NOT any change to the order of the features.Packets to the server (ino the VPN tunnel) still get analyzed Before encryption, and packets from the server (from the VPN tunnel) still get decrypted Before analysis by the SSM.
So applying the policy to different interface does NOT change the order in which the features get applied to the packet.
A packet goes through the same steps regardless of whether the policy is on the inside or outside interface.
The difference is just in which packets get analyzed.
If you place it on the inside. The packets between inside and outside will be monitored AS WELL AS packets between inside and DMZ, BUT the packets between outside and DMZ will not be monitored.
If you place it on the outside. The packets between the inside and outside will still be monitored. But now packets between outside and DMZ get monitored, and packets between inside and DMZ do NOT get monitored.
Hope it helps !
yes the return packet also goes through the SSM Engine...
To explain in a bit more detail...for example,
Lets say you have a connection from an inside machine to a web server on the internet (no encryption being done).
If you apply the policy to the inside, the SSM analysis will be done as the last thing before the packets are transmitted. The to web server packets will be checked against ACLs and NAT'd before being sent to the SSM. Similarly the to inside client packets will be checked against ACLs and NAT's back to internal addresses before being sent to the SSM.
SO in both directions the SSM analysis is the last feature being done.
NOTE: Because NAT changes are done before SSM analysis the SSM sees some packets with NAT addresses and other packets with Local addresses. To help the SSM properly track the packets the ASA adds an additional header to the packet that lets the SSM know the Local addresses for the packets.
So the SSM always looks in the additional header of the packet to know the Local adresses and uses those Local addresses when doing analysis and alarming.
If you were to instead put the policy on the outside interface, there would be no change in the order of the features. The SSM analysis would still be the last thing done on the packets.
Do Rate If Helpful !