2

We have a small office, about 75% of our infrastructure is cloud based including a pfSense deployment we use for remote access and site to site connections which is currently public facing. We've decided to deploy a Cisco ASA with Firepower support as our on-premise perimeter firewall.

Does anyone have experience with using IPS features included with Firepower licensing and/or pfSense with the Suricata package installed running in inline mode and how VPN traffic is handled? Since we're connecting to a VPN server managed by pfSense, to meet compliance needs we need to figure out exactly where packet inspection occurs.

With an IPsec VPN client connecting from our on-premise ASA to pfSense, would the ASA decrypt packets and forward them to the Firepower module for inspection before getting routed, or would this be handled on the pfSense/Suricata end before or after packets are sent from the VPN server to the ASA?

dcd018
  • 131
  • 4

1 Answers1

1

I'm not 100% clear what your design goals are but I think I can help you answer your question.

The VPN traffic will be encrypted/decrypted at whatever your peer end point is. If you have VPN traffic pass through the ASA to pfSense, FirePower can't inspect any of that traffic.

If you terminate the VPN at the ASA, then I think this link will help you see where the Firepower module is used just before the ASA sends the traffic out the egress interface.

See figure 2-15 http://www.ciscopress.com/articles/article.asp?p=2730336&seqNum=7

Aaron D
  • 303
  • 3
  • 12
  • RTFM! Excellent answer and great find, thank you. If a VPN client is configured to terminate at the ASA, it would have the proper certificates installed to decrypt traffic for inspection. I wonder if the same would be true for VPN traffic passing through the ASA, while probably not best practice, if certificates were installed. I imagine it would be possible for the ASA to decrypt ingress traffic from a VPN connection terminated in front of the ASA if it has knowledge of certificates, encryption method, TLS key used etc.. – dcd018 Sep 01 '17 at 13:36