I'm pretty sure you can do this with any modern firewall... An ASA5505 is always a good bet. You'd just have to route the IPIP packets to a hairpin interface on the firewall, then create a policy that handles packets coming inbound from the hairpin. Policies for handling traffic with that as the source interface would be able to filter based on layer-3 info as normal. The trick is, as mentioned, to route the de-encapsulated traffic back into the firewall. A quick googling shows a related example of this for the ASA here: http://nat0.net/cisco-asa-hairpinning/ *Jason Pack* Network Security Engineer - SevOne 4550 New Linden Hill Rd, Wilmington, DE, 19808 | p: 302-319-5400 | m: 302-464-0253 | e: jpack@sevone.com | w: www.SevOne.com On Mon, Aug 5, 2013 at 5:45 AM, Kenny Kant <akennykant@gmail.com> wrote:
If the tunnel is to be terminated on this firewall device I would say look into a Mikrotik box. Alternatively you could make Cisco's IOS firewall / zone based firewall do this. So look into an ISR?
Sent from my iPad
On Jul 30, 2013, at 3:00 PM, William Herrin <bill@herrin.us> wrote:
Hi folks,
I'm trying to identify a firewall appliance for one of my customers. The wrinkle is: it has to be able to inspect packets inside an IPIP tunnel and accept/reject based on IP address, TCP port number and standard things like that. On the packet carried *inside* the IPIP tunnel packet.
From what I can tell, the Cisco ASA can't do this.
Linux iptables can (with the u32 match module) but the customer wants an appliance, not a server.
What appliances do you know of that can do this? Is there a different Cisco box? A Juniper firewall? Anything else?
Thanks in advance, Bill Herrin
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004