I agree Paul. It may be the context that the author is in, or it could be an older code prior to the new VPN-passthrough.
Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com On Apr 11, 2010, at 4:32 PM, Paul Stewart <[email protected]> wrote: > I agree with Brandon that this has to do with nat. AH will not work > with NAT, but that doesn't mean that your ASA is always doing NAT. > The ASA Algorithm (adaptive stateful algorithm) is the crux of the > inspects. While this can do manipulation for traffic that needs it > with NAT, inspection will occur without nat. It appears to me that > you can use this to assign parameters like timeout and per-client-max > to AH and/or ESP sessions that are inspected with the ipsec-pass-thru > inspection. However without NAT, is this really "ipsec-pass-thru"? > It seems that the particular terminology was probably okay at one > point, but possibly the feature was later extended to AH and the > terminology should just be "inspect ipsec" as opposed to "inspect > ipsec-pass-thru". Anyway that's just my guess, I haven't validated > it. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
