Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

How to terminate SSL encryption on ACE following IPS scan

hi,

Query on SSL termination. Following is the logical path,

The encrypted traffic hits the router -> hits the ASA IPS -> and then hits the VIP for load balancing via ACE.

The SSL encrypted traffic should terminate on the ACE load balancer. However, the IPS scan can only be performed on a decrypted traffic.

How can we re-encrypt the traffic to terminate on the load balancer. Or is it a bad idea due to performance issues ?

Regards.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: How to terminate SSL encryption on ACE following IPS scan

Yes your understanding is spot on. Both IPS/CSC need decrypted traffic to do anything meaningful.

Regards

Farrukh

Re: How to terminate SSL encryption on ACE following IPS scan

This does not apply to your design. The VPN will be encr/decr on the edge ASA device. For inbound traffic (from the outside) it will be decrypted by the edge ASA, processed by the CSC, then by the second ASA+IPS and then it will reach the LAN host/server. In the opposite directon, it will be procesed by ASA+IPS, then ASA+CSC then encrypted by the ASA 'outside' interface and finally go out.

Regards

Farrukh

9 REPLIES
Bronze

Re: How to terminate SSL encryption on ACE following IPS scan

SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to an HTTP server.

Community Member

Re: How to terminate SSL encryption on ACE following IPS scan

Ok. But if the Cisco ASA IPS module is placed before the ACE, how will the SSL be handled. Will the ciphertext be decrypted for IPS checking and then re-encrypted for termination at the ACE. Is it possible and is it the right way to go about it ?

Re: How to terminate SSL encryption on ACE following IPS scan

No SSL decryption is not supported on the Cisco IPS. McAfee claim to support such a feature AFAIR (however still you need to load some keys on the IPS to make this happen, this is usually not possible for servers out of your control).

Regards

Farrukh

Community Member

Re: How to terminate SSL encryption on ACE following IPS scan

So in other words it means that the traffic should be decrypted before Cisco IPS is hit.

The relevant design is; the incoming traffic hits

1) ASA with CSC-SSM, then it hits

2) ASA with AIP (IPS), then it hits

3) Cisco ACE

So, if the decryption should take place before IPS, then it can only be on Cisco ASA (CSC-SSM). Please confirm.

Regards

Re: How to terminate SSL encryption on ACE following IPS scan

Even if there is no second ASA (with CSC), the first ASA (with IPS) can decrypt the trafic and send it to the IPS module installed on it.

Regards

Farrukh

Community Member

Re: How to terminate SSL encryption on ACE following IPS scan

Farrukh, if I am not mistaken then the CSC module also requires decrypted traffic for virus checking. So in this design, the traffic will have to be decrypted at the internet edge device i.e Cisco ASA with CSC module. Right ?

Regards.

Re: How to terminate SSL encryption on ACE following IPS scan

Yes your understanding is spot on. Both IPS/CSC need decrypted traffic to do anything meaningful.

Regards

Farrukh

Community Member

Re: How to terminate SSL encryption on ACE following IPS scan

You had mentioned in earlier post that Cisco ASA IPS module doesn't have the ability to re-encrypt the trafffic. Is the same applicable to Cisco ASA CSC module as well.

Regards.

Re: How to terminate SSL encryption on ACE following IPS scan

This does not apply to your design. The VPN will be encr/decr on the edge ASA device. For inbound traffic (from the outside) it will be decrypted by the edge ASA, processed by the CSC, then by the second ASA+IPS and then it will reach the LAN host/server. In the opposite directon, it will be procesed by ASA+IPS, then ASA+CSC then encrypted by the ASA 'outside' interface and finally go out.

Regards

Farrukh

310
Views
0
Helpful
9
Replies
CreatePlease to create content