13-32
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
IPsec Pass Through Inspection
Configure the IPsec Pass Through Inspection Service Policy
IPsec Pass Through inspection is not enabled in the default inspection policy, so you must enable it if
you need this inspection. However, the default inspect class does include the default IPsec ports, so you
can simply edit the default global inspection policy to add IPsec inspection. You can alternatively create
a new service policy as desired, for example, an interface-specific policy.
Procedure
Step 1
If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
class-map
name
match
parameter
Example:
hostname(config)# class-map ipsec_class_map
hostname(config-cmap)# match access-list ipsec
In the default global policy, the inspection_default class map is a special class map that includes default
ports for all inspection types (
match default-inspection-traffic
). If you are using this class map in
either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see
Identify Traffic (Layer 3/4 Class Maps), page 11-13
Step 2
Add or edit a policy map that sets the actions to take with the class map traffic.
policy-map
name
Example:
hostname(config)# policy-map global_policy
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you
want to edit the global_policy, enter global_policy as the policy name.
Step 3
Identify the L3/L4 class map you are using for IPsec Pass Through inspection.
class
name
Example:
hostname(config-pmap)# class inspection_default
To edit the default policy, or to use the special inspection_default class map in a new policy, specify
inspection_default
for the
name
. Otherwise, you are specifying the class you created earlier in this
procedure.
Step 4
Configure IPsec Pass Through inspection.
inspect ipsec-pass-thru
[
ipsec_policy_map
]
Where
ipsec_policy_map
is the optional IPsec Pass Through inspection policy map. You need a map only
if you want non-default inspection processing. For information on creating the inspection policy map,
see
Configure an IPsec Pass Through Inspection Policy Map, page 13-31
Example:
hostname(config-class)# no inspect ipsec-pass-thru
hostname(config-class)# inspect ipsec-pass-thru ipsec-map
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...