Hello all, I have a question. I work at a hospital with about 500 PC's. A much larger hospital (40,000 PC's) wants me to setup a site-to-site VPN. My concern is this hospital got hit hard with the Confiker virus earlier in the year that took them a couple of weeks to get rid of, what is the chance that a virus will propagate over the site-to-site VPN and infect my PC's? I'm sure they would want to do subnets instead of host ACLs. I have an ASA with the SSM module installed; will this inspect encrypted VPN traffic?
To start with your original question, will a virus propagate over a L2L ?
Yes it will (as a general rule)
What are the chances of this happening ?
basically it is a question impossible to answer without more information, but I would state that if that is the virus method of spreading (networks) then I would say it is a very high probability that it would spread to your network to.
No the SSM will not inspect encrypted VPN traffic. (it is encrypted !)
However if the vpn is terminated in the same Device as the ssm is installed on I am shure that it is possible to use the SSM to check the traffic that is coming from the other side of the VPN and also the traffic leaving for the other side.
There is nothing stating that you can not do acls based on subnet, however only open the things that realy needs to be open and only between the hosts that needs it.
If you follow that rule (anything else is just stupid) you will end up with a combination of both subnet and hosts in the access-lists.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :