13-30
Cisco ASA Series Firewall CLI Configuration Guide
 
Chapter 13      Inspection of Basic Internet Protocols
  IPsec Pass Through Inspection
Monitoring IP Options Inspection
You can use these techniques to monitor the results of IP options inspection:
• Each time a packet is dropped due to inspection, syslog 106012 is issued. The message shows which 
option caused the drop.
• Use the show service-policy inspect ip-options command to view statistics for each option.
IPsec Pass Through Inspection
The following sections describe the IPsec Pass Through inspection engine. 
• IPsec Pass Through Inspection Overview, page 13-30
• Configure IPsec Pass Through Inspection, page 13-30
IPsec Pass Through Inspection Overview
Internet Protocol Security (IPsec) is a protocol suite for securing IP communications by authenticating 
and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual 
authentication between agents at the beginning of the session and negotiation of cryptographic keys to 
be used during the session. IPsec can be used to protect data flows between a pair of hosts (for example, 
computer users or servers), between a pair of security gateways (such as routers or firewalls), or between 
a security gateway and a host.
IPsec Pass Through application inspection provides convenient traversal of ESP (IP protocol 50) and AH 
(IP protocol 51) traffic associated with an IKE UDP port 500 connection. It avoids lengthy ACL 
configuration to permit ESP and AH traffic and also provides security using timeout and max 
connections. 
Configure a policy map for IPsec Pass Through to specify the restrictions for ESP or AH traffic. You can 
set the per client max connections and the idle timeout. 
NAT and non-NAT traffic is permitted. However, PAT is not supported. 
Configure IPsec Pass Through Inspection
IPsec Pass Through inspection is not enabled by default. You must configure it if you want IPsec Pass 
Through inspection. 
Procedure
Step 1 Configure an IPsec Pass Through Inspection Policy Map, page 13-31.
Step 2 Configure the IPsec Pass Through Inspection Service Policy, page 13-32.