Scribd
Upload
121 views3 pages

ASA Packet Flow

The Cisco ASA firewall processes packets through 11 steps: (1) the packet reaches an ingress interface; (2) the interface counter increments; (3) the packet is checked against the connection table and ACLs; (4) it is further checked by ACL rules before (5) undergoing translation checks. (6) The packet then undergoes inspection and additional security checks before (7) having its headers translated by NAT/PAT rules. (8) It is then forwarded to the egress interface and (9) undergoes egress interface and route lookups before (10) Layer 2 rewrite and (11) transmission on the wire.

Uploaded by

Narendra Pattanayak
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
121 views3 pages

ASA Packet Flow

The Cisco ASA firewall processes packets through 11 steps: (1) the packet reaches an ingress interface; (2) the interface counter increments; (3) the packet is checked against the connection table and ACLs; (4) it is further checked by ACL rules before (5) undergoing translation checks. (6) The packet then undergoes inspection and additional security checks before (7) having its headers translated by NAT/PAT rules. (8) It is then forwarded to the egress interface and (9) undergoes egress interface and route lookups before (10) Layer 2 rewrite and (11) transmission on the wire.

Uploaded by

Narendra Pattanayak
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

4/28/2017 ASA8.

2:PacketFlowthroughanASAFirewallCisco

CiscoASAPacketProcessAlgorithm

HereisadiagramofhowtheCiscoASAprocessesthepacketthatit
receives:

Herearetheindividualstepsindetail:
1. Thepacketisreachedattheingressinterface.
2. Oncethepacketreachestheinternalbufferoftheinterface,theinput
counteroftheinterfaceisincrementedbyone.
3. CiscoASAfirstlooksatitsinternalconnectiontabledetailsinorderto
verifyifthisisacurrentconnection.Ifthepacketflowmatchesa
currentconnection,thentheAccessControlList(ACL)checkis
bypassedandthepacketismovedforward.
Ifpacketflowdoesnotmatchacurrentconnection,thentheTCPstate
isverified.IfitisaSYNpacketorUDP(UserDatagramProtocol)
packet,thentheconnectioncounterisincrementedbyoneandthe
packetissentforanACLcheck.IfitisnotaSYNpacket,thepacketis
droppedandtheeventislogged.
4. ThepacketisprocessedaspertheinterfaceACLs.Itisverifiedin
sequentialorderoftheACLentriesandifitmatchesanyoftheACL
entries,itmovesforward.Otherwise,thepacketisdroppedandthe
informationislogged.TheACLhitcountisincrementedbyonewhen
thepacketmatchestheACLentry.
5. Thepacketisverifiedforthetranslationrules.Ifapacketpasses
throughthischeck,thenaconnectionentryiscreatedforthisflowand
thepacketmovesforward.Otherwise,thepacketisdroppedandthe
informationislogged.
6. ThepacketissubjectedtoanInspectionCheck.Thisinspection
http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113396asapacketflow00.html 1/3
4/28/2017 ASA8.2:PacketFlowthroughanASAFirewallCisco
6. ThepacketissubjectedtoanInspectionCheck.Thisinspection
verifieswhetherornotthisspecificpacketflowisincompliancewith
theprotocol.CiscoASAhasabuiltininspectionenginethatinspects
eachconnectionasperitspredefinedsetofapplicationlevel
functionality.Ifitpassedtheinspection,itismovedforward.Otherwise,
thepacketisdroppedandtheinformationislogged.
AdditionalsecuritycheckswillbeimplementedifaContentSecurity
(CSC)moduleisinvolved.
7. TheIPheaderinformationistranslatedaspertheNetworkAddress
Translation/PortAddressTranslation(NAT/PAT)ruleandchecksums
areupdatedaccordingly.ThepacketisforwardedtoAdvanced
InspectionandPreventionSecurityServicesModule(AIPSSM)for
IPSrelatedsecuritycheckswhentheAIPmoduleisinvolved.
8. Thepacketisforwardedtotheegressinterfacebasedonthe
translationrules.Ifnoegressinterfaceisspecifiedinthetranslation
rule,thenthedestinationinterfaceisdecidedbasedontheglobalroute
lookup.
9. Ontheegressinterface,theinterfaceroutelookupisperformed.
Remember,theegressinterfaceisdeterminedbythetranslationrule
thattakesthepriority.
10. OnceaLayer3routehasbeenfoundandthenexthopidentified,
Layer2resolutionisperformed.TheLayer2rewriteoftheMAC
headerhappensatthisstage.
11. Thepacketistransmittedonthewire,andinterfacecountersincrement
ontheegressinterface.

ExplanationofNAT

RefertothesedocumentsformoredetailsontheorderofNAT
operation:
CiscoASASoftwareVersion8.2andearlier
http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113396asapacketflow00.html 2/3
4/28/2017 ASA8.2:PacketFlowthroughanASAFirewallCisco

CiscoASASoftwareVersion8.3andlater

ShowCommands

Herearesomeusefulcommandsthathelptrackthepacketflowdetails
atdifferentstagesintheprocess:
showinterface
showconn
showaccesslist
showxlate
showservicepolicyinspect
showrunstatic
showrunnat
showrunglobal
shownat
showroute
showarp

http://www.cisco.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/113396asapacketflow00.html 3/3

You might also like