cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
995
Views
4
Helpful
5
Replies

Inspection of traffic between hair-pinning VPNs on an ASA with AIP SSM.

wilbowes
Level 1
Level 1

Hi,

I would like to deploy an ASA as a VPN termination point and utilise the AIP SSM module to inspect and provide protection for traffic arriving inbound on one VPN and exiting on another within the same ASA. I'm assuming this is possible as the traffic is in an unencrypted state within the ASA and should be intercepted by the class map. Has anyone done this or can anyone confirm that it will work?

Many thanks,

Wil Bowes

2 Accepted Solutions

Accepted Solutions

Panos Kampanakis
Cisco Employee
Cisco Employee

If the ASA terminates the VPN then indeed it can also inspect internally. The decryption happens before the "module checks" for inbound traffic and the "module checks" come before the encryption for outbound traffic. So you can do it.

I hope it helps.

PK

View solution in original post

Hi Wil,

I have done inspecting the VPN client traffic after decryption and prior to providing them with Internet access (u-turn on the same ASA).

So, its the same with the only difference that the outbound traffic will be encrypted again and sent through a different tunnel.


As pkampana said, you're good to go.

Federico.

View solution in original post

5 Replies 5

Hi Wil,

I've not done it, but I don't see why it would not work since the traffic can be inspected after being decrypted and before being encrypted through the other tunnel.

I'll suggest applying the policy to the interface instead of globally, but I think either way should work.

Federico.

Panos Kampanakis
Cisco Employee
Cisco Employee

If the ASA terminates the VPN then indeed it can also inspect internally. The decryption happens before the "module checks" for inbound traffic and the "module checks" come before the encryption for outbound traffic. So you can do it.

I hope it helps.

PK

Hi Wil,

I have done inspecting the VPN client traffic after decryption and prior to providing them with Internet access (u-turn on the same ASA).

So, its the same with the only difference that the outbound traffic will be encrypted again and sent through a different tunnel.


As pkampana said, you're good to go.

Federico.

wilbowes
Level 1
Level 1

Thank you both for your help on this.

Wil

simpelo
Level 1
Level 1

This is a great topic, cuz we're doing the same thing. So, my question is: on what interface do you apply the service policy: outside (where the encrypted traffic goes in) or inside (where the decrypted traffic goues out)? Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: