Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Download as PDF Print this page Share this page

Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

672

673

674

675

676

677

678

679

680

681

682

683

684

685

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712

713

714

715

716

717

718

719

720

721

722

723

724

725

726

727

728

729

730

731

732

733

734

735

736

737

738

739

740

741

742

743

744

745

746

747

748

749

750

751

752

753

754

View all the pages

Add page 311 to Favourites

image text

Enable zoom

11-37
Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 11 Configuring Inspection of Basic Internet Protocols
HTTP Inspection
Method—Specifies to match on a request method: bcopy, bdelete, bmove, bpropfind,
bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head,
index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd,
revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit,
unlock, unsubscribe.
Regular Expression—Specifies to match on a regular expression.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular
expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure
regular expression class maps.
–Request URI Length—Applies the regular expression match to the URI of the request with
length greater than the bytes specified.
Greater Than Length—Enter a URI length value in bytes.
–Request URI—Applies the regular expression match to the URI of the request.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular
expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure
regular expression class maps.
–Response Body—Applies the regex match to the body of the response.
ActiveX—Specifies to match on ActiveX.
Java Applet—Specifies to match on a Java Applet.
Regular Expression—Specifies to match on a regular expression.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular
expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure
regular expression class maps.
–Response Body Length—Applies the regular expression match to the body of the response with
field length greater than the bytes specified.
Greater Than Length—Enter a field length value in bytes that response field lengths will be
matched against.
–Response Header Field Count—Applies the regular expression match to the header of the
response with a maximum number of header fields.
Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control,
connection, content-encoding, content-language, content-length, content-location,
content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma,
proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via,
warning, www-authenticate.

Add page 312 to Favourites

image text

Enable zoom

11-38
Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 11 Configuring Inspection of Basic Internet Protocols
HTTP Inspection
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular
expressions.
Greater Than Count—Enter the maximum number of header fields.
–Response Header Field Length—Applies the regular expression match to the header of the
response with field length greater than the bytes specified.
Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control,
connection, content-encoding, content-language, content-length, content-location,
content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma,
proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via,
warning, www-authenticate.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular
expressions.
Greater Than Length—Enter a field length value in bytes that response field lengths will be
matched against.
–Response Header Field—Applies the regular expression match to the header of the response.
Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control,
connection, content-encoding, content-language, content-length, content-location,
content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma,
proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via,
warning, www-authenticate.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular
expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure
regular expression class maps.
–Response Header Count—Applies the regular expression match to the header of the response
with a maximum number of headers.
Greater Than Count—Enter the maximum number of headers.
–Response Header Length—Applies the regular expression match to the header of the response
with length greater than the bytes specified.
Greater Than Length—Enter a header length value in bytes.
–Response Header non-ASCII—Matches non-ASCII characters in the header of the response.
–Response Status Line—Applies the regular expression match to the status line.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular
expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure
regular expression class maps.
Multiple Matches—Specifies multiple matches for the HTTP inspection.

Add page 313 to Favourites

image text

Enable zoom

11-39
Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 11 Configuring Inspection of Basic Internet Protocols
ICMP Inspection
–H323 Traffic Class—Specifies the HTTP traffic class match.
–Manage—Opens the Manage HTTP Class Maps dialog box to add, edit, or delete HTTP Class
Maps.
Action—Drop connection, reset, or log.
Log—Enable or disable.
ICMP Inspection
The ICMP inspection engine allows ICMP traffic to have a “session” so it can be inspected like TCP and
UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through
the ASA in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP
inspection engine ensures that there is only one response for each request, and that the sequence number
is correct.
ICMP Error Inspection
When this feature is enabled, the ASA creates translation sessions for intermediate hops that send ICMP
error messages, based on the NAT configuration. The ASA overwrites the packet with the translated IP
addresses.
When disabled, the ASA does not create translation sessions for intermediate nodes that generate ICMP
error messages. ICMP error messages generated by the intermediate nodes between the inside host and
the ASA reach the outside host without consuming any additional NAT resource. This is undesirable
when an outside host uses the traceroute command to trace the hops to the destination on the inside of
the ASA. When the ASA does not translate the intermediate hops, all the intermediate hops appear with
the mapped destination IP address.
The ICMP payload is scanned to retrieve the five-tuple from the original packet. Using the retrieved
five-tuple, a lookup is performed to determine the original address of the client. The ICMP error
inspection engine makes the following changes to the ICMP packet:
In the IP Header, the mapped IP is changed to the real IP (Destination Address) and the IP checksum
is modified.
In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet.
In the Payload, the following changes are made:
–Original packet mapped IP is changed to the real IP
–Original packet mapped port is changed to the real Port
–Original packet IP checksum is recalculated
Instant Messaging Inspection
This section describes the IM inspection engine. This section includes the following topics:
IM Inspection Overview, page 11-40
Select IM Map, page 11-41

Add page 314 to Favourites

image text

Enable zoom

							 
11-40
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  Instant Messaging Inspection
IM Inspection Overview
The IM inspect engine lets you apply fine grained controls on the IM application to control the network 
usage and stop leakage of confidential data, propagation of worms, and other threats to the corporate 
network. 
Adding a Class Map for IM Inspection
Use the Add Service Policy Rule Wizard - Rule Actions dialog box to configure IP Options inspection. 
This wizard is available from the Configuration > Firewall > Service Policy Rules > Add > Add Service 
Policy Rule Wizard - Rule Actions dialog box. 
Step 1Choose Configuration > Firewall > Objects > Class Maps > Instant Messaging (IM). The table 
displaying the configured class maps for Instant Messaging Inspection appears. 
Step 2To add a new class map, click Add. The Add Instant Messaging (IM) Traffic Class Map dialog box 
appears. 
Step 3Enter a name for the class map. 
Step 4(Optional) Enter a description for the class map. The description can contain up to 200 characters. 
Step 5In the Match Option field, click an option for the class map:
Match All—Specifies that traffic must match all criteria to match the class map. By default, the 
Match All option is selected.
Match Any—Specifies that the traffic matches the class map if it matches at least one of the criteria. 
Step 6Click Add to add a match criteria for the class map. The Add Instant Messaging (IM) Match Criterion 
dialog box appears. 
Step 7In the Match Type field, click the Match or No Match radio button. 
Step 8In the Criterion drop-down list, select one of the following options and specify the criteria value. 
Depending on which option you select, the Value fields dynamically refresh to display the appropriate 
values for that criteria.
Protocol—Select to match traffic of a specific IM protocol, such as Yahoo Messenger or MSN 
Messenger.
Service—Select to match a specific IM service, such as chat, file-transfer, webcam, voice-chat, 
conference, or games.
Version—Select to match the version of the IM message. In the Value fields, click the Regular 
Expression or Regular Expression Class option and select an expression from the drop-down list. 
See Configuring Regular Expressions, page 20-20 in the general operations configuration guide. 
Client Login Name—Select to match the source login name of the IM message. In the Value fields, 
click the Regular Expression or Regular Expression Class option and select an expression from 
the drop-down list. 
See Configuring Regular Expressions, page 20-20 in the general operations configuration guide.
Client Peer Login Name—Select to match the destination login name of the IM message. In the 
Value fields, click the Regular Expression or Regular Expression Class option and select an 
expression from the drop-down list. 
See Configuring Regular Expressions, page 20-20 in the general operations configuration guide.

Add page 315 to Favourites

image text

Enable zoom

11-41
Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 11 Configuring Inspection of Basic Internet Protocols
IP Options Inspection
Source IP Address—Select to match the source IP address of the IM message. In the Value fields,
enter the IP address and netmask of the message source.
Destination IP Address—Select to match the destination IP address of the IM message. In the Value
fields, enter the IP address and netmask of the message destination.
Filename—Select to match the filename of the IM message. In the Value fields, click the Regular
Expression or Regular Expression Class option and select an expression from the drop-down list.
See Configuring Regular Expressions, page 20-20 in the general operations configuration guide.
Step 9Click OK to save the criteria. The Add Instant Messaging (IM) Match Criterion dialog box closes and
the criteria appears in the Match Criterion table.
Step 10Click OK to save the class map.
Select IM Map
The Select IM Map dialog box is accessible as follows:
Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select IM Map
The Select IM Map dialog box lets you select or create a new IM map. An IM map lets you change the
configuration values used for IM application inspection. The Select IM Map table provides a list of
previously configured maps that you can select for application inspection.
Fields
Add—Opens the Add Policy Map dialog box for the inspection.
IP Options Inspection
This section describes the IP Options inspection engine. This section includes the following topics:
IP Options Inspection Overview, page 11-41
Configuring IP Options Inspection, page 11-42
Select IP Options Inspect Map, page 11-43
IP Options Inspect Map, page 11-44
Add/Edit IP Options Inspect Map, page 11-44
IP Options Inspection Overview
Each IP packet contains an IP header with the Options field. The Options field, commonly referred to as
IP Options, provide for control functions that are required in some situations but unnecessary for most
common communications. In particular, IP Options include provisions for time stamps, security, and
special routing. Use of IP Options is optional, and the field can contain zero, one, or more options.
You can configure IP Options inspection to control which IP packets with specific IP options are allowed
through the ASA. Configuring this inspection instructs the ASA to allow a packet to pass or to clear the
specified IP options and then allow the packet to pass.
IP Options inspection can check for the following three IP options in a packet:

Add page 316 to Favourites

image text

Enable zoom

							 
11-42
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  IP Options Inspection
End of Options List (EOOL) or IP Option 0—This option, which contains just a single zero byte, 
appears at the end of all options to mark the end of a list of options. This might not coincide with 
the end of the header according to the header length. 
No Operation (NOP) or IP Option 1—The Options field in the IP header can contain zero, one, or 
more options, which makes the total length of the field variable. However, the IP header must be a 
multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the NOP option 
is used as “internal padding” to align the options on a 32-bit boundary. 
Router Alert (RTRALT) or IP Option 20—This option notifies transit routers to inspect the contents 
of the packet even when the packet is not destined for that router. This inspection is valuable when 
implementing RSVP and similar protocols require relatively complex processing from the routers 
along the packets delivery path.
NoteIP Options inspection is included by default in the global inspection policy. Therefore, the ASA allows 
RSVP traffic that contains packets with the Router Alert option (option 20) when the ASA is in routed 
mode.
Dropping RSVP packets containing the Router Alert option can cause problems in VoIP 
implementations. 
When you configure the ASA to clear the Router Alert option from IP headers, the IP header changes in 
the following ways: 
The Options field is padded so that the field ends on a 32 bit boundary. 
Internet header length (IHL) changes. 
The total length of the packet changes.
The checksum is recomputed. 
If an IP header contains additional options other than EOOL, NOP, or RTRALT, regardless of whether 
the ASA is configured to allow these options, the ASA will drop the packet. 
Configuring IP Options Inspection
Use the Add Service Policy Rule Wizard - Rule Actions dialog box to configure IP Options inspection. 
This wizard is available from the Configuration > Firewall > Service Policy Rules > Add > Add Service 
Policy Rule Wizard - Rule Actions dialog box. 
Step 1Open the Add Service Policy Rule Wizard by selecting Configuration > Firewall > Service Policy 
Rules > Add.
Perform the steps to complete the Service Policy, Traffic Classification Criteria, and Traffic Match - 
Destination Port pages of the wizard. See the “Adding a Service Policy Rule for Through Traffic” section 
on page 1-8.
The Add Service Policy Rule Wizard - Rule Actions dialog box opens. 
Step 2Check the IP-Options check box. 
Step 3Click Configure.
The Select IP Options Inspect Map dialog box opens. 
Step 4Perform one of the following:

Add page 317 to Favourites

image text

Enable zoom

							 
11-43
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  IP Options Inspection
Click the Use the default IP-Options inspection map radio button to use the default IP Options 
map. The default map drops packets containing all the inspected IP options, namely End of Options 
List (EOOL), No Operation (NOP), and Router Alert (RTRALT).
Click the Select an IP-Options inspect map for fine control over inspection radio button to select 
a defined application inspection map.
Click Add to open the Add IP-Options Inspect Map dialog box and create a new inspection map. 
Step 5(Optional) If you clicked Add to create a new inspection map, define the following values for IP Options 
Inspection:
a.Enter a name for the inspection map. 
b.Enter a description for the inspection map, up to 200 characters long.
c.From the Parameters area, select which IP options you want to pass through the ASA or clear and 
then pass through the ASA:
–Allow packets with the End of Options List (EOOL) option
This option, which contains just a single zero byte, appears at the end of all options to mark the end 
of a list of options. This might not coincide with the end of the header according to the header length. 
–Allow packets with the No Operation (NOP) option
The Options field in the IP header can contain zero, one, or more options, which makes the total 
length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of 
bits of all options is not a multiple of 32 bits, the NOP option is used as “internal padding” to align 
the options on a 32-bit boundary.
–Allow packets with the Router Alert (RTRALT) option
This option notifies transit routers to inspect the contents of the packet even when the packet is not 
destined for that router. This inspection is valuable when implementing RSVP and similar protocols 
require relatively complex processing from the routers along the packets delivery path.
–Clear the option value from the packets
When an option is checked, the Clear the option value from the packets check box becomes 
available for that option. Select the Clear the option value from the packets check box to clear the 
option from the packet before allowing the packet through the ASA.
d.Click OK.
Step 6Click OK.
Step 7Click Finish.
Select IP Options Inspect Map
The Select IP Options Inspect Map dialog box is accessible as follows:
Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select IM Map

Add page 318 to Favourites

image text

Enable zoom

							 
11-44
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  IP Options Inspection
The Select IP-Options Inspect Map dialog box lets you select or create a new IP Options inspection map. Use this 
inspection map to control whether the ASA drops, passes, or clears IP packets containing the following IP 
options—End of Options List, No Operations, and Router Alert. 
Fields
Use the default IP-Options inspection map—Specifies to use the default IP Options map. The default 
map drops packets containing all the inspected IP options, namely End of Options List (EOOL), No 
Operation (NOP), and Router Alert (RTRALT).
Select an IP-Options map for fine control over inspection—Lets you select a defined application 
inspection map or add a new one.
Add—Opens the Add IP Options Inspect Map dialog box for the inspection.
IP Options Inspect Map
The IP Options Inspect Maps pane lets you view previously configured IP Options inspection maps. An 
IP Options inspection map lets you change the default configuration values used for IP Option 
inspection. 
You can configure IP Options inspection to control which IP packets with specific IP options are allowed 
through the security appliance. Configuring this inspection instructs the security appliance to allow a 
packet to pass or to clear the specified IP options and then allow the packet to pass. 
In particular, you can control whether the security appliance drops, clears, or passes packets containing 
the Router Alert (RTRALT) option. Dropping RSVP packets containing the Router Alert option can 
cause problems in VoIP implementations. Therefore, you can create IP Options inspection maps to pass 
packets containing the RTRALT option. 
Fields 
IP Options Inspect Maps—Table that lists the defined IP Options inspect maps. 
Add—Configures a new IP Options inspect map. 
Edit—Edits an existing IP Options inspect map. To edit an IP Options inspect map, choose the entry in 
the table and click Edit. 
Delete—Deletes the inspect map selected in the IP Options Inspect Maps table. 
Add/Edit IP Options Inspect Map
The Add/Edit IP Options Inspect Map lets you configure the settings for IP Options inspection maps.
Fields 
Name—When adding an IP Options inspection map, enter the name of the map. When editing a map, 
the name of the previously configured map is shown. 
Description—Enter the description of the IP Options inspection map, up to 200 characters in length. 
Parameters—Select which IP options you want to pass through the ASA or clear and then pass 
through the ASA:
–Allow packets with the End of Options List (EOOL) option
This option, which contains just a single zero byte, appears at the end of all options to mark the end 
of a list of options. This might not coincide with the end of the header according to the header length.

Add page 319 to Favourites

image text

Enable zoom

11-45
Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 11 Configuring Inspection of Basic Internet Protocols
IPsec Pass Through Inspection
–Allow packets with the No Operation (NOP) option
The Options field in the IP header can contain zero, one, or more options, which makes the total
length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of
bits of all options is not a multiple of 32 bits, the NOP option is used as “internal padding” to align
the options on a 32-bit boundary.
–Allow packets with the Router Alert (RTRALT) option
This option notifies transit routers to inspect the contents of the packet even when the packet is not
destined for that router. This inspection is valuable when implementing RSVP and similar protocols
require relatively complex processing from the routers along the packets delivery path.
–Clear the option value from the packets
When an option is checked, the Clear the option value from the packets check box becomes
available for that option. Select the Clear the option value from the packets check box to clear the
option from the packet before allowing the packet through the ASA.
IPsec Pass Through Inspection
This section describes the IPsec Pass Through inspection engine. This section includes the following
topics:
IPsec Pass Through Inspection Overview, page 11-45
Select IPsec-Pass-Thru Map, page 11-46
IPsec Pass Through Inspect Map, page 11-46
Add/Edit IPsec Pass Thru Policy Map (Security Level), page 11-47
Add/Edit IPsec Pass Thru Policy Map (Details), page 11-47
IPsec Pass Through Inspection Overview
Internet Protocol Security (IPsec) is a protocol suite for securing IP communications by authenticating
and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual
authentication between agents at the beginning of the session and negotiation of cryptographic keys to
be used during the session. IPsec can be used to protect data flows between a pair of hosts (for example,
computer users or servers), between a pair of security gateways (such as routers or firewalls), or between
a security gateway and a host.
IPsec Pass Through application inspection provides convenient traversal of ESP (IP protocol 50) and AH
(IP protocol 51) traffic associated with an IKE UDP port 500 connection. It avoids lengthy ACL
configuration to permit ESP and AH traffic and also provides security using timeout and max
connections.
Specify IPsec Pass Through inspection parameters to identify a specific map to use for defining the
parameters for the inspection. Configure a policy map for Specify IPsec Pass Through inspection to
access the parameters configuration, which lets you specify the restrictions for ESP or AH traffic. You
can set the per client max connections and the idle timeout in parameters configuration.
NAT and non-NAT traffic is permitted. However, PAT is not supported.

Add page 320 to Favourites

image text

Enable zoom

11-46
Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 11 Configuring Inspection of Basic Internet Protocols
IPsec Pass Through Inspection
Select IPsec-Pass-Thru Map
The Select IPsec-Pass-Thru Map dialog box is accessible as follows:
Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab >
Select IPsec-Pass-Thru Map
The Select IPsec-Pass-Thru dialog box lets you select or create a new IPsec map. An IPsec map lets you
change the configuration values used for IPsec application inspection. The Select IPsec Map table
provides a list of previously configured maps that you can select for application inspection.
Fields
Use the default IPsec inspection map—Specifies to use the default IPsec map.
Select an IPsec map for fine control over inspection—Lets you select a defined application
inspection map or add a new one.
Add—Opens the Add Policy Map dialog box for the inspection.
IPsec Pass Through Inspect Map
The IPsec Pass Through Inspect Map dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > IPsec Pass Through
The IPsec Pass Through pane lets you view previously configured IPsec Pass Through application
inspection maps. An IPsec Pass Through map lets you change the default configuration values used for
IPsec Pass Through application inspection. You can use an IPsec Pass Through map to permit certain
flows without using an ACL.
Fields
IPsec Pass Through Inspect Maps—Table that lists the defined IPsec Pass Through inspect maps.
Add—Configures a new IPsec Pass Through inspect map. To edit an IPsec Pass Through inspect
map, select the IPsec Pass Through entry in the IPsec Pass Through Inspect Maps table and click
Customize.
Delete—Deletes the inspect map selected in the IPsec Pass Through Inspect Maps table.
Security Level—Select the security level (high or low).
–Low—Default.
Maximum ESP flows per client: Unlimited.
ESP idle timeout: 00:10:00.
Maximum AH flows per client: Unlimited.
AH idle timeout: 00:10:00.
–High
Maximum ESP flows per client:10.
ESP idle timeout: 00:00:30.
Maximum AH flows per client: 10.
AH idle timeout: 00:00:30.
–Customize—Opens the Add/Edit IPsec Pass Thru Policy Map dialog box for additional settings.

All Cisco manuals Comments (0)