Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX inspection question

I have been told the PIX isn’t able to do stateful inspection on packets before passing them to the internal interface when terminating an IPSec VPN. I have also heard the packets are decrypted first then statefully inspected before being handed to the internal interface.

Which is correct?


New Member

Re: PIX inspection question

Both the statements are true. It depends on where your tunnel is terminating. Normally when the tunnel terminates on the outside interface, packet is decrypted -> stateful inspection is done. If the tunnel is terminated on the internal interface using the sysopt ipsec pl-compatible command then stateful inspection of the decrypted packet is not done. That is why it is suggested to use the nat 0 command instead of the sysopt ipsec pl-compatible. Hope this helps

New Member

Re: PIX inspection question

Thank you very much for your post.

Do you have access to a sample config that will allow me to terminate the tunnel on the outside interface and statefully inspect all packets?

Thank you again.