Configure The Ipsec Pass Through Inspection Service Policy - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
IPsec Pass Through Inspection
Configure the IPsec Pass Through Inspection Service Policy
IPsec Pass Through inspection is not enabled in the default inspection policy, so you must enable it if
you need this inspection. However, the default inspect class does include the default IPsec ports, so you
can simply edit the default global inspection policy to add IPsec inspection. You can alternatively create
a new service policy as desired, for example, an interface-specific policy.
Procedure
Step 1
If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
class-map name
match parameter
Example:
hostname(config)# class-map ipsec_class_map
hostname(config-cmap)# match access-list ipsec
In the default global policy, the inspection_default class map is a special class map that includes default
ports for all inspection types (match default-inspection-traffic). If you are using this class map in
either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see
Step 2
Add or edit a policy map that sets the actions to take with the class map traffic.
policy-map name
Example:
hostname(config)# policy-map global_policy
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you
want to edit the global_policy, enter global_policy as the policy name.
Identify the L3/L4 class map you are using for IPsec Pass Through inspection.
Step 3
class name
Example:
hostname(config-pmap)# class inspection_default
To edit the default policy, or to use the special inspection_default class map in a new policy, specify
inspection_default for the name. Otherwise, you are specifying the class you created earlier in this
procedure.
Configure IPsec Pass Through inspection.
Step 4
inspect ipsec-pass-thru [ipsec_policy_map]
Where ipsec_policy_map is the optional IPsec Pass Through inspection policy map. You need a map only
if you want non-default inspection processing. For information on creating the inspection policy map,
see
Example:
hostname(config-class)# no inspect ipsec-pass-thru
hostname(config-class)# inspect ipsec-pass-thru ipsec-map
Cisco ASA Series Firewall CLI Configuration Guide
13-32
Configure an IPsec Pass Through Inspection Policy Map, page
Chapter 13
Identify Traffic (Layer 3/4 Class Maps), page
13-31.
Inspection of Basic Internet Protocols
11-13.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
