13-30
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
IPsec Pass Through Inspection
Monitoring IP Options Inspection
You can use these techniques to monitor the results of IP options inspection:
•
Each time a packet is dropped due to inspection, syslog 106012 is issued. The message shows which
option caused the drop.
•
Use the
show service-policy inspect ip-options
command to view statistics for each option.
IPsec Pass Through Inspection
The following sections describe the IPsec Pass Through inspection engine.
•
IPsec Pass Through Inspection Overview, page 13-30
•
Configure IPsec Pass Through Inspection, page 13-30
IPsec Pass Through Inspection Overview
Internet Protocol Security (IPsec) is a protocol suite for securing IP communications by authenticating
and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual
authentication between agents at the beginning of the session and negotiation of cryptographic keys to
be used during the session. IPsec can be used to protect data flows between a pair of hosts (for example,
computer users or servers), between a pair of security gateways (such as routers or firewalls), or between
a security gateway and a host.
IPsec Pass Through application inspection provides convenient traversal of ESP (IP protocol 50) and AH
(IP protocol 51) traffic associated with an IKE UDP port 500 connection. It avoids lengthy ACL
configuration to permit ESP and AH traffic and also provides security using timeout and max
connections.
Configure a policy map for IPsec Pass Through to specify the restrictions for ESP or AH traffic. You can
set the per client max connections and the idle timeout.
NAT and non-NAT traffic is permitted. However, PAT is not supported.
Configure IPsec Pass Through Inspection
IPsec Pass Through inspection is not enabled by default. You must configure it if you want IPsec Pass
Through inspection.
Procedure
Step 1
Configure an IPsec Pass Through Inspection Policy Map, page 13-31
Step 2
Configure the IPsec Pass Through Inspection Service Policy, page 13-32
.
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......