I agree with Brandon that this has to do with nat. AH will not work
with NAT, but that doesn't mean that your ASA is always doing NAT.
The ASA Algorithm (adaptive stateful algorithm) is the crux of the
inspects. While this can do manipulation for traffic that needs it
with NAT, inspection will occur without nat. It appears to me that
you can use this to assign parameters like timeout and per-client-max
to AH and/or ESP sessions that are inspected with the ipsec-pass-thru
inspection. However without NAT, is this really "ipsec-pass-thru"?
It seems that the particular terminology was probably okay at one
point, but possibly the feature was later extended to AH and the
terminology should just be "inspect ipsec" as opposed to "inspect
ipsec-pass-thru". Anyway that's just my guess, I haven't validated
it.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
