It may be related to issues with AH and NAT or even the version of code the book was based on, however the 8.3 Configuration guide states the following:
IPSec Pass Through application inspection provides convenient traversal of ESP (IP protocol 50) and AH (IP protocol 51) traffic associated with an IKE UDP port 500 connection. It avoids lengthy access list configuration to permit ESP and AH traffic and also provides security using timeout and max connections. http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/inspect_basic.html#wp1553398 Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com On Apr 11, 2010, at 11:07 AM, Anantha Subramanian Natarajan wrote: > Hi All, > > I was going through the IPSec Pass-through section on the "Cisco > ASA:All-in-One Firewall,IPS,Anti-X and VPN Adaptive security appliance" > book.My understanding from that section is ,IPSec pass-through supports only > the ESP protocol;it does not support the Authentication Header(AH) > Protocol.On the ipsec pass-through inspect map section,it has 2 different > security levels(high and low) to choose from.Under the actions on each > security level we choose,it has check for Maximum AH flows per client and AH > idle timeout. > > My question is,what it means,when IPSEC pass-through supports only ESP and > not AH ,even though it has checks for AH. > > Kindly help me to clarify the same. > > Thanks for the help > > Regards > Anantha Subaramanian Natarajan > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
