13-31
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
IPsec Pass Through Inspection
Configure an IPsec Pass Through Inspection Policy Map
An IPsec Pass Through map lets you change the default configuration values used for IPsec Pass
Through application inspection. You can use an IPsec Pass Through map to permit certain flows without
using an ACL.
The configuration includes a default map, _default_ipsec_passthru_map, that sets no maximum limit on
ESP connections per client, and sets the ESP idle timeout at 10 minutes. You need to configure an
inspection policy map only if you want different values, or if you want to set AH values.
Procedure
Step 1 Create an IPsec Pass Through inspection policy map:
hostname(config)# policy-map type inspect ipsec-pass-thru policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
Step 2 (Optional) To add a description to the policy map, enter the following command:
hostname(config-pmap)# description string
Step 3 To configure parameters that affect the inspection engine, perform the following steps:
a. To enter parameters configuration mode, enter the following command:
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
b. Set one or more parameters. You can set the following options; use the no form of the command to
disable the option:
• esp per-client-max number timeout time—Allows ESP tunnels and sets the maximum
connections allowed per client and the idle timeout (in hh:mm:ss format). To allow an unlimited
number of connections, specify 0 for the number.
• ah per-client-max number timeout time—Allows AH tunnels. The parameters have the same
meaning as for the esp command.
Example
The following example shows how to use ACLs to identify IKE traffic, define an IPsec Pass Thru
parameter map, define a policy, and apply the policy to the outside interface:
hostname(config)# access-list ipsecpassthruacl permit udp any any eq 500
hostname(config)# class-map ipsecpassthru-traffic
hostname(config-cmap)# match access-list ipsecpassthruacl
hostname(config)# policy-map type inspect ipsec-pass-thru iptmap
hostname(config-pmap)# parameters
hostname(config-pmap-p)# esp per-client-max 10 timeout 0:11:00
hostname(config-pmap-p)# ah per-client-max 5 timeout 0:06:00
hostname(config)# policy-map inspection_policy
hostname(config-pmap)# class ipsecpassthru-traffic
hostname(config-pmap-c)# inspect ipsec-pass-thru iptmap
hostname(config)# service-policy inspection_policy interface outside
To Next Page
Loading...
Need help?
General
