Inspect IP Sec Traffic

Unanswered Question
Aug 10th, 2009
User Badges:

Hello Everyone,


we have a device sitting behind an ASA 550 that has a public IP address on it and has an IPSec tunnel coming in from the outside. Is there anyway to inspect the IPSec traffic for malicious content, etc even thought the IPSec tunnel is terminating on the device behind the ASA? I am thinking there is not but wanted to double check since the traffic is actually flowing through the ASA.



Thanks in advance! All replies rated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Mon, 08/10/2009 - 07:44
User Badges:
  • Silver, 250 points or more

This isn't possible. In a typical IPSec tunnel setup using ESP, the packets traversing the ASA will be encrypted. Only the tunnel peers will be able to decap the packets.

Istvan_Rabai Wed, 08/12/2009 - 02:54
User Badges:
  • Gold, 750 points or more

Hi Angel Moon,


Firewalls can inspect traffic for TCP UDP, ICMP etc... content, but when the same traffic is encrypted, the firewall of course may not know what type of traffic is inside to be inspected:

in your case it is not the firewall to terminate the IPSec tunnel, so the firewall cannot decrypt the packet.


You should terminate the IPSec Tunnel on or before the firewall so it can inspect the incoming packets for TCP, UDP, ICMP etc.. compliance.


Cheers:

Istvan


Actions

This Discussion