Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Inspection of traffic between hair-pinning VPNs on an ASA with AIP SSM.

Hi,

I would like to deploy an ASA as a VPN termination point and utilise the AIP SSM module to inspect and provide protection for traffic arriving inbound on one VPN and exiting on another within the same ASA. I'm assuming this is possible as the traffic is in an unencrypted state within the ASA and should be intercepted by the class map. Has anyone done this or can anyone confirm that it will work?

Many thanks,

Wil Bowes

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Inspection of traffic between hair-pinning VPNs on an ASA wi

If the ASA terminates the VPN then indeed it can also inspect internally. The decryption happens before the "module checks" for inbound traffic and the "module checks" come before the encryption for outbound traffic. So you can do it.

I hope it helps.

PK

Re: Inspection of traffic between hair-pinning VPNs on an ASA wi

Hi Wil,

I have done inspecting the VPN client traffic after decryption and prior to providing them with Internet access (u-turn on the same ASA).

So, its the same with the only difference that the outbound traffic will be encrypted again and sent through a different tunnel.


As pkampana said, you're good to go.

Federico.

5 REPLIES

Re: Inspection of traffic between hair-pinning VPNs on an ASA wi

Hi Wil,

I've not done it, but I don't see why it would not work since the traffic can be inspected after being decrypted and before being encrypted through the other tunnel.

I'll suggest applying the policy to the interface instead of globally, but I think either way should work.

Federico.

Cisco Employee

Re: Inspection of traffic between hair-pinning VPNs on an ASA wi

If the ASA terminates the VPN then indeed it can also inspect internally. The decryption happens before the "module checks" for inbound traffic and the "module checks" come before the encryption for outbound traffic. So you can do it.

I hope it helps.

PK

Re: Inspection of traffic between hair-pinning VPNs on an ASA wi

Hi Wil,

I have done inspecting the VPN client traffic after decryption and prior to providing them with Internet access (u-turn on the same ASA).

So, its the same with the only difference that the outbound traffic will be encrypted again and sent through a different tunnel.


As pkampana said, you're good to go.

Federico.

Community Member

Re: Inspection of traffic between hair-pinning VPNs on an ASA wi

Thank you both for your help on this.

Wil

Community Member

Re: Inspection of traffic between hair-pinning VPNs on an ASA wi

This is a great topic, cuz we're doing the same thing. So, my question is: on what interface do you apply the service policy: outside (where the encrypted traffic goes in) or inside (where the decrypted traffic goues out)? Thanks.

580
Views
4
Helpful
5
Replies
CreatePlease to create content