Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
0
Helpful
2
Replies

PIX inspection question

cmd1
Level 1
Level 1

‎10-30-2002 05:52 AM - edited ‎02-20-2020 10:20 PM

I have been told the PIX isn’t able to do stateful inspection on packets before passing them to the internal interface when terminating an IPSec VPN. I have also heard the packets are decrypted first then statefully inspected before being handed to the internal interface.

Which is correct?

Thanks,

0 Helpful
2 Replies 2

mohammed.ibrahim
Level 1
Level 1

‎10-30-2002 06:01 AM

Both the statements are true. It depends on where your tunnel is terminating. Normally when the tunnel terminates on the outside interface, packet is decrypted -> stateful inspection is done. If the tunnel is terminated on the internal interface using the sysopt ipsec pl-compatible command then stateful inspection of the decrypted packet is not done. That is why it is suggested to use the nat 0 command instead of the sysopt ipsec pl-compatible. Hope this helps

0 Helpful

cmd1
Level 1
Level 1
In response to mohammed.ibrahim

‎10-30-2002 06:35 AM

Thank you very much for your post.

Do you have access to a sample config that will allow me to terminate the tunnel on the outside interface and statefully inspect all packets?

Thank you again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card