Filter
Top Products
10-26
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 10 Configuring Inspection of Basic Internet Protocols
IPv6 Inspection
• IPsec Pass Through Inspection Overview, page 10-26
• “Example for Defining an IPsec Pass Through Parameter Map” section on page 10-26
IPsec Pass Through Inspection Overview
Internet Protocol Security (IPsec) is a protocol suite for securing IP communications by authenticating
and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual
authentication between agents at the beginning of the session and negotiation of cryptographic keys to
be used during the session. IPsec can be used to protect data flows between a pair of hosts (for example,
computer users or servers), between a pair of security gateways (such as routers or firewalls), or between
a security gateway and a host.
IPsec Pass Through application inspection provides convenient traversal of ESP (IP protocol 50) and AH
(IP protocol 51) traffic associated with an IKE UDP port 500 connection. It avoids lengthy ACL
configuration to permit ESP and AH traffic and also provides security using timeout and max
connections.
Specify IPsec Pass Through inspection parameters to identify a specific map to use for defining the
parameters for the inspection. Configure a policy map for Specify IPsec Pass Through inspection to
access the parameters configuration, which lets you specify the restrictions for ESP or AH traffic. You
can set the per client max connections and the idle timeout in parameters configuration.
NAT and non-NAT traffic is permitted. However, PAT is not supported.
Example for Defining an IPsec Pass Through Parameter Map
The following example shows how to use ACLs to identify IKE traffic, define an IPsec Pass Thru
parameter map, define a policy, and apply the policy to the outside interface:
hostname(config)# access-list ipsecpassthruacl permit udp any any eq 500
hostname(config)# class-map ipsecpassthru-traffic
hostname(config-cmap)# match access-list ipsecpassthruacl
hostname(config)# policy-map type inspect ipsec-pass-thru iptmap
hostname(config-pmap)# parameters
hostname(config-pmap-p)# esp per-client-max 10 timeout 0:11:00
hostname(config-pmap-p)# ah per-client-max 5 timeout 0:06:00
hostname(config)# policy-map inspection_policy
hostname(config-pmap)# class ipsecpassthru-traffic
hostname(config-pmap-c)# inspect ipsec-pass-thru iptmap
hostname(config)# service-policy inspection_policy interface outside
IPv6 Inspection
• Information about IPv6 Inspection, page 10-27
• Default Settings for IPv6 Inspection, page 10-27
• (Optional) Configuring an IPv6 Inspection Policy Map, page 10-27
• Configuring IPv6 Inspection, page 10-29