Cisco ASA 5506-X Configuration Manual page 178
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
IPsec Pass Through Inspection
Configure the IPsec Pass Through Inspection Service Policy
IPsec Pass Through inspection is not enabled in the default inspection policy, so you must enable it if
you need this inspection. However, the default inspect class does include the default IPsec ports, so you
can simply edit the default global inspection policy to add IPsec inspection. You can alternatively create
a new service policy as desired, for example, an interface-specific policy.
Procedure
Step 1
If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
class-map name
match parameter
Example:
hostname(config)# class-map ipsec_class_map
hostname(config-cmap)# match access-list ipsec
In the default global policy, the inspection_default class map is a special class map that includes default
ports for all inspection types (match default-inspection-traffic). If you are using this class map in
either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see
Step 2
Add or edit a policy map that sets the actions to take with the class map traffic.
policy-map name
Example:
hostname(config)# policy-map global_policy
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you
want to edit the global_policy, enter global_policy as the policy name.
Identify the L3/L4 class map you are using for IPsec Pass Through inspection.
Step 3
class name
Example:
hostname(config-pmap)# class inspection_default
To edit the default policy, or to use the special inspection_default class map in a new policy, specify
inspection_default for the name. Otherwise, you are specifying the class you created earlier in this
procedure.
Configure IPsec Pass Through inspection.
Step 4
inspect ipsec-pass-thru [ipsec_policy_map]
Where ipsec_policy_map is the optional IPsec Pass Through inspection policy map. You need a map only
if you want non-default inspection processing. For information on creating the inspection policy map,
see
Example:
hostname(config-class)# no inspect ipsec-pass-thru
hostname(config-class)# inspect ipsec-pass-thru ipsec-map
Cisco ASA Series Firewall CLI Configuration Guide
7-32
Configure an IPsec Pass Through Inspection Policy Map, page
Chapter 7
Identify Traffic (Layer 3/4 Class Maps), page
7-31.
Inspection of Basic Internet Protocols
1-13.
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
