topic Re: PIX inspection question in Network Security

PIX inspection question

cmd1 — Fri, 21 Feb 2020 06:20:47 GMT

I have been told the PIX isn’t able to do stateful inspection on packets before passing them to the internal interface when terminating an IPSec VPN. I have also heard the packets are decrypted first then statefully inspected before being handed to the internal interface.

Which is correct?

Thanks,

Re: PIX inspection question

mohammed.ibrahim — Wed, 30 Oct 2002 14:01:14 GMT

Both the statements are true. It depends on where your tunnel is terminating. Normally when the tunnel terminates on the outside interface, packet is decrypted -> stateful inspection is done. If the tunnel is terminated on the internal interface using the sysopt ipsec pl-compatible command then stateful inspection of the decrypted packet is not done. That is why it is suggested to use the nat 0 command instead of the sysopt ipsec pl-compatible. Hope this helps

Re: PIX inspection question

cmd1 — Wed, 30 Oct 2002 14:35:07 GMT

Thank you very much for your post.

Do you have access to a sample config that will allow me to terminate the tunnel on the outside interface and statefully inspect all packets?

Thank you again.