Scribd
Upload
71 views

Background Information: Cisco ASA Packet Process Algorithm

1) A packet is initiated from inside the network to an outside website. 2) The packet hits the inside interface of the ASA firewall. 3) The ASA checks its connection table and ACL rules before allowing the packet through to the outside interface based on NAT/PAT rules.

Uploaded by

Rakesh Rakee
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
71 views

Background Information: Cisco ASA Packet Process Algorithm

1) A packet is initiated from inside the network to an outside website. 2) The packet hits the inside interface of the ASA firewall. 3) The ASA checks its connection table and ACL rules before allowing the packet through to the outside interface based on NAT/PAT rules.

Uploaded by

Rakesh Rakee
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Background Information

The interface that receives the packet is called the ingress interface and the interface through
which the packet exits is called the egress interface. When you refer to the packet flow through
any device, the task is easily simplified if you look at it in terms of these two interfaces. Here is a
sample scenario:

When an inside user (192.168.10.5) attempts to access a web server in the demilitarized zone
(DMZ) network (172.16.10.5), the packet flow looks like this:

 Source address - 192.168.10.5


 Source port - 22966
 Destination address - 172.16.10.5
 Destination port - 8080
 Ingress interface - Inside
 Egress interface - DMZ
 Protocol used - TCP (Transmission Control Protocol)

After you determine the details of the packet flow as described here, it is easy to isolate the issue
to this specific connection entry.

Cisco ASA Packet Process Algorithm

Here is a diagram of how the Cisco ASA processes the packet that it receives:
Scenario : So here is a packet initiated from Inside to the Outside [ingress to egress].

1) A user who is sitting inside of the network is trying to access a


website located at the Internet (outside)

2)The packet hits the inside interface (Ingress) of ASA.

3) Once the packet reached ASA, it will verify whether this is an


existing connection by checking its internal connection table. If it is
an existing connection, the ACL check (step 4) will be bypassed and
move to step 5.

ASA will check for the TCP flag if its a TCP packet. If the packet
contains a SYN flag, then the new connection entry will be created
in the connection table(connection counter gets incremented). Other
than SYN flag, the packet will be discarded and a log entry will be
created.

"Remember the 3-way handshake process. SYN/SYN-ACK/ACK. If


the TCP connection flags are not in the order as it is intended to be,
ASA will simply drop the packet. Most of the scanning/attacks are
done by these flag manipulation."
If the packet is a UDP , the connection counter will get incremented
by one as well.

4) ASA check the packet again the interface Access Control Lists
(ACL). If the packet matches with an allowed ACL entry, it moves
forward to the next step. Otherwise, the packet will be dropped. (The
ACL hit counter gets incremented when there is a valid ACL match.)

5) Then packet is verified for the translation rules. If a packet pass


this check, then a connection entry is created for this flow, and the
packet moves forward. Otherwise, the packet gets dropped and a log
entry will be created.

6)The packet is checked for the Inspection policy. This inspection


verifies whether or not this specific packet flow is in compliance
with the protocol. In ASA we create these inspection checks through
MPF (modular policy framework) or through CLI using policy/class
maps.

If it passes the inspection check, it is then moves forward to the next


step. Otherwise, the packet is dropped and the information is
logged.Additional checks will be done if the ASA has a CSC module
installed. The packet will be forwarded to that module for further
analysis and returns to step 7.

7)Actual Network Address Translation happens at this step. The IP header


information is translated as per the NAT/PAT rule . If an IPS module is
present, then the packet will be forwarded to IPS module for further check.

8)The packet is forwarded to the Outside (egress) interface based on the


translation rules. If no egress interface is specified in the translation rule,
then the destination interface is decided based on global route lookup.

9) On the egress interface, the interface route lookup will be performed.

10) Once a Layer 3 route has been found and the next hop identified,
Layer 2 resolution is performed. Layer 2 rewrite of MAC header happens
at this stage.
11) Finally the packet will be forwarded by the ASA to the next hop.

 Note: When a destination NAT applicable, then there will be an


additional step for that. Otherwise, the order of operation will remain the
same.

https://www.jaacostan.com/2018/03/cisco-asa-firewall-packet-
flowmode-of.html
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-
series-next-generation-firewalls/113396-asa-packet-flow-00.html
https://networkwizkid.com/2017/10/12/asa-packet-processing-post-
8-3-code/

You might also like