Ipsec pass through inspection – Cisco ASA 5505 User Manual

Page 902

Advertising
background image

43-26

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 43 Configuring Inspection of Basic Internet Protocols

IPsec Pass Through Inspection

Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.

Step 2

(Optional) To add a description to the policy map, enter the following command:

hostname(config-pmap)# description string

Step 3

To configure parameters that affect the inspection engine, perform the following steps:

a.

To enter parameters configuration mode, enter the following command:

hostname(config-pmap)# parameters

hostname(config-pmap-p)#

b.

To allow or clear packets with the End of Options List (EOOL) option, enter the following
command:

hostname(config-pmap-p)# eool action {allow | clear}

This option, which contains just a single zero byte, appears at the end of all options to mark the end
of a list of options. This might not coincide with the end of the header according to the header length.

c.

To allow or clear packets with the No Operation (NOP) option, enter the following command:

hostname(config-pmap-p)# nop action {allow | clear}

The Options field in the IP header can contain zero, one, or more options, which makes the total
length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of
bits of all options is not a multiple of 32 bits, the NOP option is used as “internal padding” to align
the options on a 32-bit boundary.

d.

To allowor clear packets with the Router Alert (RTRALT) option, enter the following command:

hostname(config-pmap-p)# router-alert action {allow | clear}

This option notifies transit routers to inspect the contents of the packet even when the packet is not
destined for that router. This inspection is valuable when implementing RSVP and similar protocols
require relatively complex processing from the routers along the packets delivery path.

Note

Enter the clear command to clear the IP option from the packet before allowing the packet
through the ASA.

IPsec Pass Through Inspection

This section describes the IPsec Pass Through inspection engine. This section includes the following
topics:

IPsec Pass Through Inspection Overview, page 43-27

“Example for Defining an IPsec Pass Through Parameter Map” section on page 43-27

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals