Cisco ASA 5505 Configuration Manual page 829

Chapter 37 Configuring Inspection of Basic Internet Protocols
be used during the session. IPSec can be used to protect data flows between a pair of hosts (for example,
computer users or servers), between a pair of security gateways (such as routers or firewalls), or between
a security gateway and a host.
IPSec Pass Through application inspection provides convenient traversal of ESP (IP protocol 50) and
AH (IP protocol 51) traffic associated with an IKE UDP port 500 connection. It avoids lengthy access
list configuration to permit ESP and AH traffic and also provides security using timeout and max
connections.
Specify IPSec Pass Through inspection parameters to identify a specific map to use for defining the
parameters for the inspection. Configure a policy map for Specify IPSec Pass Through inspection to
access the parameters configuration, which lets you specify the restrictions for ESP or AH traffic. You
can set the per client max connections and the idle timeout in parameters configuration.
NAT and non-NAT traffic is permitted. However, PAT is not supported.
Select IPSec-Pass-Thru Map
The Select IPSec-Pass-Thru Map dialog box is accessible as follows:
Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab >
Select IPSec-Pass-Thru Map
The Select IPSec-Pass-Thru dialog box lets you select or create a new IPSec map. An IPSec map lets
you change the configuration values used for IPSec application inspection. The Select IPSec Map table
provides a list of previously configured maps that you can select for application inspection.
Fields
•
•
•
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
IPSec Pass Through Inspect Map
The IPSec Pass Through Inspect Map dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > IPSec Pass Through
The IPSec Pass Through pane lets you view previously configured IPSec Pass Through application
inspection maps. An IPSec Pass Through map lets you change the default configuration values used for
IPSec Pass Through application inspection. You can use an IPSec Pass Through map to permit certain
flows without using an access list.
OL-20339-01
Use the default IPSec inspection map—Specifies to use the default IPSec map.
Select an IPSec map for fine control over inspection—Lets you select a defined application
inspection map or add a new one.
Add—Opens the Add Policy Map dialog box for the inspection.
Security Context
Transparent Single
• •
Multiple
Context System
—
•
Cisco ASA 5500 Series Configuration Guide using ASDM
IPSec Pass Through Inspection
37-45