Filter
Top Products
17-74
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 17 Managing Firewall Inspection Rules
Configuring Protocols and Maps for Inspection
Configuring IPsec Pass Through Maps
Use the Add and Edit IPsec Pass Through Map dialog boxes to configure settings for the IPsec Pass
Through Map policy object. An IPsec Pass Through policy map lets you change the default configuration
values used for IPsec Pass Through inspection.
The IPSec Pass Through inspection engine lets the security appliance pass ESP (IP protocol 50) and AH
(IP protocol 51) traffic that is formed between two hosts because of successful IKE (UDP port 500)
negotiation without the requirement of specific ESP or AH access lists.
The ESP or AH traffic is permitted by the inspection engine with the configured idle timeout if there is
an existing control flow and it is within the connection limit defined in the MPF framework. A new
control flow is created for IKE UDP port 500 traffic with the configured UDP idle timeout if there is not
one, or it uses the existing flow.
To ensure that the packet arrives into the inspection engine, a hole is punched for all such traffic (ESP
and AH). This inspect is attached to the control flow. The control flow is present as long as there is at
least one data flow (ESP or AH) established, but the traffic always flows on the same connection.
Because this IKE connection is kept open as long as data flows, a rekey would always succeed. The flows
are created irrespective of whether NAT is being used. However, PAT is not supported.
Navigation Path
Select Manage > Policy Objects, then select Maps > Policy Maps > Inspect > IPsec Pass Through
from the Object Type selector. Right-click inside the work area, then select New Object or right-click a
row and select Edit Object.
Related Topics
• Understanding Map Objects, page 6-72
• Configuring Protocols and Maps for Inspection, page 17-21
Field Reference
Action Choose the action you want the device to take for traffic that matches
the defined criteria:
• Drop Packet—Matching packets are dropped without notification.
• Drop Packet and Log—Matching packets are logged and then
dropped.
• Log—Matching packets are logged and processing continues.
Table 17-42 IPv6 Policy Maps Add or Edit Match Condition and Action Dialog Boxes (Continued)
Element Description
Table 17-43 Add and Edit IPsec Pass Through Map Dialog Boxes
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is
allowed.