13-31
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
IPsec Pass Through Inspection
Configure an IPsec Pass Through Inspection Policy Map
An IPsec Pass Through map lets you change the default configuration values used for IPsec Pass
Through application inspection. You can use an IPsec Pass Through map to permit certain flows without
using an ACL.
The configuration includes a default map, _default_ipsec_passthru_map, that sets no maximum limit on
ESP connections per client, and sets the ESP idle timeout at 10 minutes. You need to configure an
inspection policy map only if you want different values, or if you want to set AH values.
Procedure
Step 1
Create an IPsec Pass Through inspection policy map:
hostname(config)#
policy-map type inspect ipsec-pass-thru
policy_map_name
hostname(config-pmap)#
Where the
policy_map_name
is the name of the policy map. The CLI enters policy-map configuration
mode.
Step 2
(Optional) To add a description to the policy map, enter the following command:
hostname(config-pmap)#
description
string
Step 3
To configure parameters that affect the inspection engine, perform the following steps:
a.
To enter parameters configuration mode, enter the following command:
hostname(config-pmap)#
parameters
hostname(config-pmap-p)#
b.
Set one or more parameters. You can set the following options; use the
no
form of the command to
disable the option:
•
esp per-client-max
number
timeout
time
—Allows ESP tunnels and sets the maximum
connections allowed per client and the idle timeout (in hh:mm:ss format). To allow an unlimited
number of connections, specify 0 for the number.
•
ah per-client-max
number
timeout
time
—Allows AH tunnels. The parameters have the same
meaning as for the esp command.
Example
The following example shows how to use ACLs to identify IKE traffic, define an IPsec Pass Thru
parameter map, define a policy, and apply the policy to the outside interface:
hostname(config)# access-list ipsecpassthruacl permit udp any any eq 500
hostname(config)# class-map ipsecpassthru-traffic
hostname(config-cmap)# match access-list ipsecpassthruacl
hostname(config)# policy-map type inspect ipsec-pass-thru iptmap
hostname(config-pmap)# parameters
hostname(config-pmap-p)# esp per-client-max 10 timeout 0:11:00
hostname(config-pmap-p)# ah per-client-max 5 timeout 0:06:00
hostname(config)# policy-map inspection_policy
hostname(config-pmap)# class ipsecpassthru-traffic
hostname(config-pmap-c)# inspect ipsec-pass-thru iptmap
hostname(config)# service-policy inspection_policy interface outside
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......