Monitoring Ip Options Inspection; Ipsec Pass Through Inspection; Ipsec Pass Through Inspection Overview; Configure Ipsec Pass Through Inspection - Cisco ASA Series Configuration Manual

Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs Also See for ASA Series:
Table of Contents

Advertisement

IPsec Pass Through Inspection

Monitoring IP Options Inspection

You can use these techniques to monitor the results of IP options inspection:
IPsec Pass Through Inspection
The following sections describe the IPsec Pass Through inspection engine.

IPsec Pass Through Inspection Overview

Internet Protocol Security (IPsec) is a protocol suite for securing IP communications by authenticating
and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual
authentication between agents at the beginning of the session and negotiation of cryptographic keys to
be used during the session. IPsec can be used to protect data flows between a pair of hosts (for example,
computer users or servers), between a pair of security gateways (such as routers or firewalls), or between
a security gateway and a host.
IPsec Pass Through application inspection provides convenient traversal of ESP (IP protocol 50) and AH
(IP protocol 51) traffic associated with an IKE UDP port 500 connection. It avoids lengthy ACL
configuration to permit ESP and AH traffic and also provides security using timeout and max
connections.
Configure a policy map for IPsec Pass Through to specify the restrictions for ESP or AH traffic. You can
set the per client max connections and the idle timeout.
NAT and non-NAT traffic is permitted. However, PAT is not supported.

Configure IPsec Pass Through Inspection

IPsec Pass Through inspection is not enabled by default. You must configure it if you want IPsec Pass
Through inspection.
Procedure
Step 1
Configure an IPsec Pass Through Inspection Policy Map, page
Step 2
Configure the IPsec Pass Through Inspection Service Policy, page
Cisco ASA Series Firewall CLI Configuration Guide
13-30
Each time a packet is dropped due to inspection, syslog 106012 is issued. The message shows which
option caused the drop.
Use the show service-policy inspect ip-options command to view statistics for each option.
IPsec Pass Through Inspection Overview, page 13-30
Configure IPsec Pass Through Inspection, page 13-30
Chapter 13
Inspection of Basic Internet Protocols
13-31.
13-32.

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents