After searching Cisco's website, reading posts on this board and other boards, and reading a limited number of good books on the Cisco PIX firewall, I still have a question that I cannot definitively answer for myself.

Scenario: PIX 525 site-to-site VPN with Checkpoint NG 650 firewall as the remote VPN peer.

Goal: Limit inbound, de-crypted traffic from the network behind the remote VPN peer to access only specific hosts and ports on the network behind the PIX 525 firewall.

Question: What is the best way (or options) to accomplish the above goal?

1. Is it better to use the "sysopt connection permit-ipsec" command to allow IPSec VPN traffic to "by-pass" inbound ACLs on the outside interface as well as the ACLs that "define" which traffic is to be tunneled between the PIX firewall and Checkpoint NG 650 firewall?

OR

2. Is it better to configure the PIX without the sysopt connection permit-ipsec command and instead utilize an inbound ACL to filter both IPSec VPN traffic (based on source, destination and ports) and the decrypted traffic (based on source, destination and ports) ? Is my understanding correct, with this option, that once VPN traffic is processed and authenticated that the decrypted traffic must meet the filter conditions defined in the inbound access-list applied to the outside interface on the PIX firewall?

I'm aware that Cisco recommends using the "sysopt connection permit-ipsec" command because not doing so can lead to high processor utilization.

For the project at hand, the importance of limiting the decrypted traffic to only certain hosts and ports outweighs porcessor utilization.

Thanks in advance for any and all posts regarding this matter!