Cisco Support Community

Cisco IPS and SSL Inspection


This document describes about the problem where IPS is not able to decrypt/encrypt the packet for monitoring purpose.




This can be done by the new "native" way of inspecting SSL-traffic with the use of ASA-CX:


ASA CX Context- Aware Security:


Cisco ASA CX Context-Aware Security is a modular security. Under Cisco ASA CX Context-Aware Security, ASA platform is extended with remarkable visibility and control. In order to gain end-to-end network intelligence from the local network using Cisco AnyConnect Secure Mobility and Cisco TrustSec, and to gain near-real-time global threat information from Cisco Security Intelligence Operation (SIO) Cisco SecureX Framework is used in this service. As a result, Cisco ASA CX Context-Aware Security goes beyond the capabilities of “next generation” firewalls by delivering phenomenal network intelligence and granular control.




  • Unprecedented Network Visibility
  • Cisco ASA CX Context-Aware Security gives security administrators a unique level of visibility regarding the traffic flowing through the network. It includes:
      1. The users connecting to the network
      2. The devices used
      3. Applications and websites that are accessed.
  • Detailed information is provided on the type and location of a mobile device by Cisco AnyConnect before it can access the network. ASA CX also uses global threat intelligence from Cisco Security Intelligence Operations (SIO) to provide zero-day malware protection.


User, Device Control & Granular Application:


Port and protocol-hopping applications such as Skype and other peer-to-peer applications can be blocked by Cisco ASA CX . More effective security can be achieved by writing fewer policies.Rich language is also used in it so that policies can be written based on a wide range of :

  • contextual elements
  • including application
  • user
  • device location


Deeper social networking controls are used in ASA CX than other next-generation firewalls. ASA CX is capable of recognizing more than 1000 applications and 75,000 micro applications aiding organization to provide access to specific components of an application while disabling other unwanted components. Policies can be written for individual and group-based access control of these application components. ASA CX displays the specific type of device trying to gain access to the network, the operating system it is running, and its location. Admin can allow a number of documents with confidence to access the network while maintaining high levels of network protection and control.


Identity-based firewalling:


It provides access control based on user and user role. It also supports common identity mechanisms such as Active Directory agent, LDAP, Kerberos, and NT LAN Manager.


URL filtering:

Effective control on the traffic for the internet can be enabled by Enterprise-class, full-featured URL filtering solution.


Global intelligence:

It uses Cisco security deployments for exhaustive network protection. Cisco SIO delivers regularly updated threat intelligence feeds for near-real-time safety from zero-day malware.


Stateful firewall capabilities:

It provides extensive support for Layer 3 and Layer 4 stateful firewall features, which includes access control, network address translation and stateful inspection.


Intuitive management solution:

Pre-loaded with Cisco Prime Security Manager, management solution which simplify the management of context-aware firewalls.


Platform Support/Compatibility:

The ASA CX SSP-10 and SSP-20 are supported on Cisco ASA 5585-X platforms that run Cisco ASA Software Release 8.4.4 and higher. The solution can be handled using Cisco Prime Security Manager.


Related Info:

Cisco ASA CX Context-Aware Security

ASA Next-Gen Firewall

ASA CX Data sheet



Source Discussion: