On 7/30/13, William Herrin <bill@herrin.us> wrote:
Hi folks,
I don't know about IPIP tunnel inspection; it seems like an odd requirement to me, unless you mean _preventing_ IPIP tunnels from being established, in that case a non-appliance solution may be necessary. Is the IPIP tunnel supposed to land on the firewall; or to traverse it? I would encourage looking at Checkpoint / Palo Alto / Stonegate / Sonicwall / some others. I think LAN "firewall products" that cannot do SSL decryption and application identification (regardless of TCP port number) have begun to outlive their usefulness; the ASA pretty much falls in that category unless you bought lots of expensive addons, and unless Cisco finally fixed all the nasty bugs that occur if you actually attempted to use the deep protocol inspection features?
I'm trying to identify a firewall appliance for one of my customers. The wrinkle is: it has to be able to inspect packets inside an IPIP tunnel and accept/reject based on IP address, TCP port number and standard things like that. On the packet carried *inside* the IPIP tunnel packet.
From what I can tell, the Cisco ASA can't do this.
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us -- -JH