topic cisco firewall rules in Network Security

cisco firewall rules

mohamed fayz — Mon, 11 Mar 2019 23:53:22 GMT

Hai,

Anyone please clarrify me my question!!

in cisco firewall, which is inspecting first??? either network address translation (NAT) or access list???

cisco firewall rules

gurpsin2 — Wed, 12 Sep 2012 18:11:52 GMT

Hi Mohammed,

Prior to version 8.3, access-list hits first, followed by NAT, and then route-lookup. After 8.3 and above, nat hits first, then the ACL, due to wchi real ip are allowed in interface ACL.

Let me know if you have any other questions

Regards

Gurpreet

cisco firewall rules

mohamed fayz — Wed, 12 Sep 2012 18:15:07 GMT

Dear Gurpeet,

Thanks for your reply. Is this same happening in cisco fwsm also???

cisco firewall rules

gurpsin2 — Wed, 12 Sep 2012 18:22:09 GMT

Hi Mohammad,

FWSM has a completely different architecture, based upon which packet flow can be understood. Here is the explanation below:

he FWSM architecture is heirachical using four different components:

Network Processor 1 (NP1)

Network Processor 2 (NP2)

Network Processor 3 (NP3)

Control Point (CP, PC, CPU)

NP1 and NP2 are the front line processors that are responsible for reading and analyzing all traffic initially. NP1 and NP2 are responsible for receiving packets from the switch across the backplane connection. NP1 and NP2 each have three 1 Gigabit connections which connect the FWSM to the backplane of the switch. Adding these all together gives you the 6 Gigabit link as identified in the FWSM datasheets.

NP1 and NP2 are responsible for the following functions:

- Perform per packet session lookup

- Maintain connection table

- Perform NAT/PAT

- TCP checks

- Handle reassembled IP packets (NP2 only)

- TCP sequence number shift for "randomization"

- Syn Cookies

NP3 sits above NP1 and NP2. NP3 is also known as the session manager and performs the following functions:
- Processes first packet in a flow

- ACL checks

- Translation creation

- Embryonic/establish connection counts

- TCP/UDP checksums

- Per-flow offset calculation for TCP sequence number "randomization"

- TCP intercept

- IP reassembly

NP3 talks to NP1 and NP2 as well as the CP. All packets that come to NP3 must first be processed by NP1 and NP2.

The Control Point sits above NP3, and similarly only sees traffic that is forwarded via NP3. The Control Point is primarily responsible for performing Layer 7 fixups. For example, traffic that requires embedded NAT or command inspection. The CP is also responsible for handling traffic souced from or destined to the FWSM itself:

- Syslogs

- AAA (Radius/TACACS+)

- URL filtering (Websense/N2H2)

- Management traffic (telnet/SSH/HTTPS/SNMP)

- Failover communictions

- Routing protocols

- Most Layer 7 fixups/inspections

Let me know if it answers your concern.

Regards

Gurpreet

cisco firewall rules

mohamed fayz — Thu, 13 Sep 2012 05:20:49 GMT

Thank you Gurpet,

Still i have one doubt.

As you said, after 8.3 and above if nat is htting first, thats y we are giving real ip in access-list (in outside). But if we have a nat rule from inisde users (inside interface generally), and if we have access-list on inisde interface, how can we add access-list???? for nated mapped ip or real ip??

if we are applying access-list for real ip, as per you said, nat will hit first, followed by access-list. then nat will transalte to mapped ip, so do we need to permit mapped ip from inside?????