Hi,
If you speak about ASA-CX module, if based on policies the ASA decides to
decrypt for inspection the HTTPS session, what ends up happening is that
there will be two SSL/TLS tunnel: one between client and ASA, one between
ASA and server. The interesting part is how do you fix the possible
certificate issues; the ASA needs a Root Type of certificate because what
it does is that it gets the certificate from the server and
builds/generates a certificate on-the-fly to match the server9s
certificate attributes. So from the client perspective, the only
difference between the HTTPS session being decrypted or not, is the
server9s certificate issuer: if session is decrypted by the ASA, the
server9s certificate issuer will be ASA.
Regards,
Cristian Matei, 2 x CCIE #23684 (R&S/SC)
cmatei_at_INE.com
Internetwork Expert, Inc.
http://www.INE.com
On 01/05/14 15:31, "R.B. Kumar" <seekumarin_at_gmail.com> wrote:
>Hi Experts- I am curious to understand how the SSL/HTTPS inspection is
>designed to be handled in Cisco ASA Firewall.
>
>What all I know is that, for SSL inspection the firewall has to de-crypt
>and again encrypt the traffic passing thru the firewall. Does this require
>the Server's Private key need to be imported into the firewall for
>De-cryption and Public key for encrypting?
>
>
>
>Thanks in advance
>
>RBK
>
>
>Blogs and organic groups at http://www.ccie.net
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu May 01 2014 - 15:37:33 ART
This archive was generated by hypermail 2.2.0 : Tue Jun 10 2014 - 13:43:09 ART