This document describes how to configure Access Control Policy (ACP) Rules to inspect traffic which comes from Virtual Private Network (VPN) tunnels or Remote Access (RA) users and use a Cisco Adaptive Security Appliance (ASA) with FirePOWER Services as Internet Gateway.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
ASA5506W version 9.6(2.7) for ASDM example
FirePOWER module version 6.1.0-330 for ASDM example.
ASA5506W version 9.7(1) for FMC example.
FirePOWER versoin 6.2.0 for FMC example.
Firepower Management Center (FMC) version 6.2.0
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
ASA5500-X with FirePOWER Services is unable to filter and/or inspect AnyConnect users traffic as same as traffic sourced by other locations connected by IPSec tunnels that use a single point of permietral content security.
Another symptom this solution covers is to be unable to define specific ACP rules to the mentioned sources without other sources affectation.
This scenario is very common to see when TunnelAll design is used for VPN solutions terminated on an ASA.
This can be achieved through multiple ways. However, this scenario covers inspection by zones.
Step 1. Identify the interfaces where AnyConnect users or VPN tunnels connect to the ASA.
Peer to Peer Tunnels
This is a scrap of the show run crypto map output.
crypto map outside_map interface outside
The command show run webvpn shows where AnyConnect access is enabled.