Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Inspect IP Sec Traffic

Hello Everyone,

we have a device sitting behind an ASA 550 that has a public IP address on it and has an IPSec tunnel coming in from the outside. Is there anyway to inspect the IPSec traffic for malicious content, etc even thought the IPSec tunnel is terminating on the device behind the ASA? I am thinking there is not but wanted to double check since the traffic is actually flowing through the ASA.

Thanks in advance! All replies rated.


Re: Inspect IP Sec Traffic

This isn't possible. In a typical IPSec tunnel setup using ESP, the packets traversing the ASA will be encrypted. Only the tunnel peers will be able to decap the packets.

Re: Inspect IP Sec Traffic

Hi Angel Moon,

Firewalls can inspect traffic for TCP UDP, ICMP etc... content, but when the same traffic is encrypted, the firewall of course may not know what type of traffic is inside to be inspected:

in your case it is not the firewall to terminate the IPSec tunnel, so the firewall cannot decrypt the packet.

You should terminate the IPSec Tunnel on or before the firewall so it can inspect the incoming packets for TCP, UDP, ICMP etc.. compliance.



CreatePlease to create content