I configured a transparent firewall and found problems of not being able to ping devices reachable via the tunnel when forming a VPN connection from my laptop out to another firewall, while looking at the log view on the transparent firewall, I noticed that it said that it was denying ESP packets inbound on the outside interface. I wound up enabling ESP inbound on the outside to fix this, but would like to know if that is the nature of the transparent firewall. I thought that is should know how to handle the ESP packets, but it wasn't.
MIke, thanks, that is exactly what I did to get this working. My question is, is this best practice? I can't seem to find any documentation regarding this, I thought the ASA would inspect the traffic coming from inside->outside (stateful) and I shuldn't need to alloq ESP in from the outside. I have always worked with routed mode on the ASA's so I just want to make sure I am configuring this correctly.
MIke, one other note, I enabled IPSEC pack inspection and it still didn't work.
To enable IPSec Pass Thru inspection, use the inspect ipsec-pass-thru command in class map configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect ipsec-pass-thru [map_name]
no inspect ipsec-pass-thru [map_name]
(Optional) The name of the IPSec Pass Thru map.
This command is disabled by default.
The following table shows the modes in which you can enter the command:
This command was introduced.
The inspect ipsec-pass-thru command enables or disables application inspection. IPSec Pass Through application inspection provides convenient traversal of ESP (IP protocol 50) and/or AH (IP protocol 51) traffic associated with an IKE UDP port 500 connection. It avoids lengthy access list configuration to permit ESP and AH traffic and also provides security using timeout and max connections.
Use the IPSec Pass Through parameter map to identify a specific map to use for defining the parameters for the inspection. Use the policy-map type inspect command to access the parameters configuration, which lets you specify the restrictions for ESP or AH traffic. You can set the per client max connections and the idle timeout in parameters configuration.
Use class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces. The parameter map defined is enabled when used with the inspect IPSec-pass-thru command.
NAT and non-NAT traffic is permitted. However, PAT is not supported.
Note In ASA 7.0, the inspect ipsec-pass-thru command allowed only ESP traffic to pass through. To retain the same behavior in later versions, a default map that permits ESP is created and attached if the inspect ipsec-pass-thru command is specified without any arguments. This map can be seen in the output of the show running-config all command.
The following example shows how to use access lists to identify IKE traffic, define an IPSec Pass Thru parameter map, define a policy, and apply the policy to the outside interface:
hostname(config)# access-list ipsecpassthruacl permit udp any any eq 500
hostname(config)# class-map ipsecpassthru-traffic
hostname(config-cmap)# match access-list ipsecpassthruacl
hostname(config)# policy-map type inspect ipsec-pass-thru iptmap
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :