Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
641
Views
0
Helpful
4
Replies

PIX 7.1(2) IPSEC pass-thru

Go to solution
pkrekelberg
Level 1
Level 1

‎05-15-2006 06:48 AM - edited ‎02-21-2020 02:24 PM

I've just recently upgraded my 515E with 7.1(2), when I noticed, in the documentation, a new feature called "inspect ipsec-passthru". I've tried many different ways of enabling this feature with no joy.

Can anyone assist in helping to get this feature enabled.

Thanks Paul

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ohanusi
Level 1
Level 1
In response to pkrekelberg

‎06-02-2006 04:28 AM

After a serious look and check and test

Is is only supported on pix721.bin , so you may need to upgrade to this.

See the below.

ULHAMFC(config)# policy-map type inspect ?

configure mode commands/options:

dcerpc Configure a policy-map of type DCERPC

dns Configure a policy-map of type DNS

esmtp Configure a policy-map of type ESMTP

ftp Configure a policy-map of type FTP

gtp Configure a policy-map of type GTP

h323 Configure a policy-map of type H.323

http Configure a policy-map of type HTTP

im Configure a policy-map of type IM

ipsec-pass-thru Configure a policy-map of type IPSEC-PASS-THRU

mgcp Configure a policy-map of type MGCP

netbios Configure a policy-map of type NETBIOS

radius-accounting Configure a policy-map of type Radius Accounting

sip Configure a policy-map of type SIP

skinny Configure a policy-map of type Skinny

Hope this help .

Regards

View solution in original post

0 Helpful
4 Replies 4

Go to solution
a-vazquez
Level 6
Level 6

‎05-19-2006 07:07 AM

The ability to open specific pinholes for ESP flows based on existence of an IKE flow is provided by the enhanced IPSec inspect feature. This feature can be configured within the MPF infrastructure along with other inspects. The idle-timeout on the resulting ESP flows is statically set at 10 minutes. There is no maximum limit on number of ESP flows that can be allowed.

A new policy-map command inspect ipsec-pass-thru is added to enable this feature.

Try:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a0080659c8f.html

0 Helpful

Go to solution
ohanusi
Level 1
Level 1
In response to a-vazquez

‎05-23-2006 02:05 PM

Hi,

see what the config will look like .

This will pass tru all ipsec to inside host.

You can limit this to a specific host using the access-list .

hostname(config)# access-list test-udp-acl extended permit udp any any eq 500 (you can limit this to a particular host)

hostname(config)# class-map test-udp-class

hostname(config-cmap)# match access-list test-udp-acl

hostname(config)# policy-map test-udp-policy

hostname(config-pmap)# class test-udp-class

hostname(config-pmap-c)# inspect ipsec-pass-thru

service-policy test-udp-policy global

or

service-policy test-udp-policy interface Outside

0 Helpful

Go to solution
pkrekelberg
Level 1
Level 1
In response to ohanusi

‎05-23-2006 04:49 PM

I've tried that already but when I try to add the "inspect ipsec-pass-thru" it errors via the cli and when I use ths ASDM to option doesn't evan appear.

Paul

0 Helpful

Go to solution
ohanusi
Level 1
Level 1
In response to pkrekelberg

‎06-02-2006 04:28 AM

After a serious look and check and test

Is is only supported on pix721.bin , so you may need to upgrade to this.

See the below.

ULHAMFC(config)# policy-map type inspect ?

configure mode commands/options:

dcerpc Configure a policy-map of type DCERPC

dns Configure a policy-map of type DNS

esmtp Configure a policy-map of type ESMTP

ftp Configure a policy-map of type FTP

gtp Configure a policy-map of type GTP

h323 Configure a policy-map of type H.323

http Configure a policy-map of type HTTP

im Configure a policy-map of type IM

ipsec-pass-thru Configure a policy-map of type IPSEC-PASS-THRU

mgcp Configure a policy-map of type MGCP

netbios Configure a policy-map of type NETBIOS

radius-accounting Configure a policy-map of type Radius Accounting

sip Configure a policy-map of type SIP

skinny Configure a policy-map of type Skinny

Hope this help .

Regards

0 Helpful
Customers Also Viewed These Support Documents