stateful Inspection

emily · ‎12-14-2003

Hi All

I know PIX can support stateful inspection , But i don't know the pix can support all application ? such as "Lotus Domino" or "MS Exchange"

. If i want to add Domino (1352) into PIX sateful inspection , How can i to do ?

tvanginneken · ‎12-15-2003

Hi Emily,

the pix indeed supports statefull inspection for all type of connections and statefull inspection is on by default. Please note that statefull inspection is related to the 'network' and the 'transport' layers of the OSI mode (layer 3 and 4).

The statefull inspection looks at connections being initiated and automatically allows the corresponding reply packets. It has nothing to do with the 'application' layer.

The application layer of packets is inspected by the 'fixup protocols'. The pix provides fixup protocols for several types of applications: SMTP, ESP-IKE, HTTP, FTP, ...

To allow Lotus Domino traffic throug the pix, just created the correct ACL's (and maybe'static' commands)using port 1352/tcp and the PIX will 'stateful inspect' the traffic. You don't have to do anything specific to turn on statefull inspection.

Regards,

Tom

aboelhouwers · ‎01-06-2004

Hi Tom,

So time ago I configured an access-list on a PIX to gain access to a server that listens on port 8000, which is not a http port. Now they asked me to get access to a different server using HTTP 8000 port, which I want to fixup. Can you tell what will happen? Will packets from the first server be dropped, because of the fixup.

Thanks in advance

Aad Boelhouwers