Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 7.1(2) IPSEC pass-thru

I've just recently upgraded my 515E with 7.1(2), when I noticed, in the documentation, a new feature called "inspect ipsec-passthru". I've tried many different ways of enabling this feature with no joy.

Can anyone assist in helping to get this feature enabled.

Thanks Paul

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: PIX 7.1(2) IPSEC pass-thru

After a serious look and check and test

Is is only supported on pix721.bin , so you may need to upgrade to this.

See the below.

ULHAMFC(config)# policy-map type inspect ?

configure mode commands/options:

dcerpc Configure a policy-map of type DCERPC

dns Configure a policy-map of type DNS

esmtp Configure a policy-map of type ESMTP

ftp Configure a policy-map of type FTP

gtp Configure a policy-map of type GTP

h323 Configure a policy-map of type H.323

http Configure a policy-map of type HTTP

im Configure a policy-map of type IM

ipsec-pass-thru Configure a policy-map of type IPSEC-PASS-THRU

mgcp Configure a policy-map of type MGCP

netbios Configure a policy-map of type NETBIOS

radius-accounting Configure a policy-map of type Radius Accounting

sip Configure a policy-map of type SIP

skinny Configure a policy-map of type Skinny

Hope this help .

Regards

4 REPLIES
Silver

Re: PIX 7.1(2) IPSEC pass-thru

The ability to open specific pinholes for ESP flows based on existence of an IKE flow is provided by the enhanced IPSec inspect feature. This feature can be configured within the MPF infrastructure along with other inspects. The idle-timeout on the resulting ESP flows is statically set at 10 minutes. There is no maximum limit on number of ESP flows that can be allowed.

A new policy-map command inspect ipsec-pass-thru is added to enable this feature.

Try:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a0080659c8f.html

New Member

Re: PIX 7.1(2) IPSEC pass-thru

Hi,

see what the config will look like .

This will pass tru all ipsec to inside host.

You can limit this to a specific host using the access-list .

hostname(config)# access-list test-udp-acl extended permit udp any any eq 500 (you can limit this to a particular host)

hostname(config)# class-map test-udp-class

hostname(config-cmap)# match access-list test-udp-acl

hostname(config)# policy-map test-udp-policy

hostname(config-pmap)# class test-udp-class

hostname(config-pmap-c)# inspect ipsec-pass-thru

service-policy test-udp-policy global

or

service-policy test-udp-policy interface Outside

New Member

Re: PIX 7.1(2) IPSEC pass-thru

I've tried that already but when I try to add the "inspect ipsec-pass-thru" it errors via the cli and when I use ths ASDM to option doesn't evan appear.

Paul

New Member

Re: PIX 7.1(2) IPSEC pass-thru

After a serious look and check and test

Is is only supported on pix721.bin , so you may need to upgrade to this.

See the below.

ULHAMFC(config)# policy-map type inspect ?

configure mode commands/options:

dcerpc Configure a policy-map of type DCERPC

dns Configure a policy-map of type DNS

esmtp Configure a policy-map of type ESMTP

ftp Configure a policy-map of type FTP

gtp Configure a policy-map of type GTP

h323 Configure a policy-map of type H.323

http Configure a policy-map of type HTTP

im Configure a policy-map of type IM

ipsec-pass-thru Configure a policy-map of type IPSEC-PASS-THRU

mgcp Configure a policy-map of type MGCP

netbios Configure a policy-map of type NETBIOS

radius-accounting Configure a policy-map of type Radius Accounting

sip Configure a policy-map of type SIP

skinny Configure a policy-map of type Skinny

Hope this help .

Regards

199
Views
0
Helpful
4
Replies
CreatePlease to create content