Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX ASA logic


I have PIX 501 configured with static NAT for an internal host. Suppose I configure a rule that allows any incoming traffic from anywhere to the internal host. Will Cisco Adaptive Security Algorithm be still inspecting traffic to that host? Will the PIX prevent attacks from outside? Or setting "permit any" rule would disable firewall capabilities and would be similar to exposing the internal host directly to the Internet?

Thank you.

New Member

Re: PIX ASA logic

if you have configured a static then you have to apply an access-list on the outside interface for allowing which traffic is permitted. now this does not mean that the internal host is vulnerable. only the ports which you have allowed in the access-list are open for that host. the host is by default protected any TCP SYN attack i.e. the number of embroyonic connections. you can limit the number of maximum concurrent connections to that host. also only the valid sequence number and ports are allowed to that host.

if you want explicit inspection for that host then you can turn on ips on the 501.

please do tell if this answers your question.

New Member

Re: PIX ASA logic

It does answer the question.Thank you.

Is it possible to disable stateful inspection for some hosts or for the whole PIX?

New Member

Re: PIX ASA logic

it is not possible to disable stateful inspection!! it is an in built feature of ASA. i am not sure why would you wanna didsable the stateful inspection.

please rate the post if it helped answer your question!!