stateful Inspection

Unanswered Question
tvanginneken Mon, 12/15/2003 - 05:00
User Badges:
  • Silver, 250 points or more

Hi Emily,

the pix indeed supports statefull inspection for all type of connections and statefull inspection is on by default. Please note that statefull inspection is related to the 'network' and the 'transport' layers of the OSI mode (layer 3 and 4).

The statefull inspection looks at connections being initiated and automatically allows the corresponding reply packets. It has nothing to do with the 'application' layer.

The application layer of packets is inspected by the 'fixup protocols'. The pix provides fixup protocols for several types of applications: SMTP, ESP-IKE, HTTP, FTP, ...

To allow Lotus Domino traffic throug the pix, just created the correct ACL's (and maybe'static' commands)using port 1352/tcp and the PIX will 'stateful inspect' the traffic. You don't have to do anything specific to turn on statefull inspection.



aboelhouwers Tue, 01/06/2004 - 05:08
User Badges:

Hi Tom,

So time ago I configured an access-list on a PIX to gain access to a server that listens on port 8000, which is not a http port. Now they asked me to get access to a different server using HTTP 8000 port, which I want to fixup. Can you tell what will happen? Will packets from the first server be dropped, because of the fixup.

Thanks in advance

Aad Boelhouwers


This Discussion