I have been told the PIX isnt able to do stateful inspection on packets before passing them to the internal interface when terminating an IPSec VPN. I have also heard the packets are decrypted first then statefully inspected before being handed to the internal interface.
Both the statements are true. It depends on where your tunnel is terminating. Normally when the tunnel terminates on the outside interface, packet is decrypted -> stateful inspection is done. If the tunnel is terminated on the internal interface using the sysopt ipsec pl-compatible command then stateful inspection of the decrypted packet is not done. That is why it is suggested to use the nat 0 command instead of the sysopt ipsec pl-compatible. Hope this helps
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...