If the tunnel is to be terminated on this firewall device I would say look into a Mikrotik box. Alternatively you could make Cisco's IOS firewall / zone based firewall do this. So look into an ISR?
Sent from my iPad On Jul 30, 2013, at 3:00 PM, William Herrin <b...@herrin.us> wrote: > Hi folks, > > I'm trying to identify a firewall appliance for one of my customers. > The wrinkle is: it has to be able to inspect packets inside an IPIP > tunnel and accept/reject based on IP address, TCP port number and > standard things like that. On the packet carried *inside* the IPIP > tunnel packet. > > > From what I can tell, the Cisco ASA can't do this. > > Linux iptables can (with the u32 match module) but the customer wants > an appliance, not a server. > > What appliances do you know of that can do this? Is there a different > Cisco box? A Juniper firewall? Anything else? > > Thanks in advance, > Bill Herrin > > > -- > William D. Herrin ................ her...@dirtside.com b...@herrin.us > 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> > Falls Church, VA 22042-3004 >
