2

We have a small office, about 75% of our infrastructure is cloud based including a pfSense deployment we use for remote access and site to site connections which is currently public facing. We've decided to deploy a Cisco ASA with Firepower support as our on-premise perimeter firewall.

Does anyone have experience with using IPS features included with Firepower licensing and/or pfSense with the Suricata package installed running in inline mode and how VPN traffic is handled? Since we're connecting to a VPN server managed by pfSense, to meet compliance needs we need to figure out exactly where packet inspection occurs.

With an IPsec VPN client connecting from our on-premise ASA to pfSense, would the ASA decrypt packets and forward them to the Firepower module for inspection before getting routed, or would this be handled on the pfSense/Suricata end before or after packets are sent from the VPN server to the ASA?

dcd018
  • 131

1 Answers1

1

I'm not 100% clear what your design goals are but I think I can help you answer your question.

The VPN traffic will be encrypted/decrypted at whatever your peer end point is. If you have VPN traffic pass through the ASA to pfSense, FirePower can't inspect any of that traffic.

If you terminate the VPN at the ASA, then I think this link will help you see where the Firepower module is used just before the ASA sends the traffic out the egress interface.

See figure 2-15 http://www.ciscopress.com/articles/article.asp?p=2730336&seqNum=7

Aaron D
  • 303