Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
4
Helpful
3
Replies

Order of operation for PIX/ASA

abdel_n
Level 1
Level 1

‎07-16-2006 03:48 AM - edited ‎02-21-2020 01:03 AM

Hi all,

I have noticed that there is a big amount of questions and troubleshooting issues when it's about combining several PIX features like address translation, encryption ...

So can someone give us the order of operation in the PIX for inbound and outbound traffic.

I found this information for IOS but not for the PIX.

I 'am sure this will help troubleshooting many issues.

Operations are:

- ACL inspection.

- address translation (inside/outside)

- IPSec encryption/decryption.

- Intrusion detection.

- Application inspection.

- ...

Think you in advance

0 Helpful
3 Replies 3

grant.maynard
Level 4
Level 4

‎07-17-2006 02:54 AM

Coming in from the internet, packets are decrypted (if coming over a VPN), then hit the inbound ACL, then are NATed, then routed to outgoing i/f.

Going out to the internet, the packet will be routed to the outgoing i/f, then NATed, then hit the VPN config.

0 Helpful

abdel_n
Level 1
Level 1
In response to grant.maynard

‎07-20-2006 04:14 AM

Hi,

Think you for your response.

Concerning inbound traffic the PIX command (sysopt connection permit-ipsec) allow the PIX to bypass the checking of IPSec traffic by ACL, this mean that inbound ACL occurs before Decryption, does it?

0 Helpful

grant.maynard
Level 4
Level 4
In response to abdel_n

‎07-20-2006 04:19 AM

no, traffic is decrypted, then checked against ACL (if syspopt command disabled).

So if you have "no sysopt connection permit-ipsec" then your outside ACL must refer to the unencrypted traffic.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card