topic CISCO ASA Packet Inspection Sequence in Network Security

CISCO ASA Packet Inspection Sequence

praga1986 — Mon, 11 Mar 2019 21:35:57 GMT

Hi All,

I am curious to understand the concept of packet flow (or) (inspection /order of operation) in CISCO ASA 8.2 version.

1. What happens to packet during the outbound flow (Inside to Outside) and Inbound flow (Outside to Inside). I would like to understand specifically whether Route is checked first or NAT in each direction ?

2. What the correct NAT order of operation?

Till now i have an understanding that for the

Inbound flow --- ACL ---> NAT --> Route is checked

Outbound flow ---ACL -->Route ---NAT is checked ----------- Just wanted to know whether I am right with this??????

It would be great if an explanation from the expert in CISCO ASA or an CISCO document that gives a clear idea of this concept.

It will be helpful for me when troubleshooting connections !!!!

Thanks-Pragatheesh

CISCO ASA Packet Inspection Sequence

varrao — Mon, 10 Oct 2011 18:06:03 GMT

Hi Pragatheesh,

To understand the flow of traffic, i would suggest you make use of packet-tracer command, this gives you a detailed flow of packet in ASA. Lets say you want to test the packet flow, when someone access your web server (1.1.1.1) on its public ip, then the command would be:

packet-tracer input outside tcp 2.2.2.2 2345 1.1.1.1 443 detailed

This would give you avery good idea. The source here (2.2.2.2) could be any IP on the outsidfe, and 2345 is your source port.

Here's the command reference:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/command/reference/p.html#wp1913020

Just for troubleshooting purpose, always make use of packet-captures and logs:

https://supportforums.cisco.com/docs/DOC-17814

Hope that helps.

Thanks,

Varun

CISCO ASA Packet Inspection Sequence

varrao — Mon, 10 Oct 2011 18:07:24 GMT

The packet-flow is different, pre 8.3 and post 8.3, in pre acl is hit first and then natting, but in post 8.3 first nat is done and then ACL is hit, thats why we use private ip's in ACL instead of public, in post 8.3.

Thanks,

Varun

CISCO ASA Packet Inspection Sequence

gourav007 — Mon, 05 Mar 2012 06:31:02 GMT

I above statement is true in case of NAT-C is enabled however in other case the routing check will occur first after ACL then NAT will be checked...

CISCO ASA Packet Inspection Sequence

svaish — Mon, 05 Mar 2012 08:30:40 GMT

When an ASA passes traffic inside to outside it is as follows.

inside inbound acl (if used)

nat

crypto map (if used)

outside outbound acl (if used)

When an ASA passes traffic from the outside to the inside.

outside inbound acl

crypto map (if used)

nat

inside outbound acl (if used)

That is pretty straightforward. What is really confusing is the order of operation between different types of nats. For that, I would take a look at the following document.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1079279

Basically, it says--

1. NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.

2. Static NAT and Static PAT (regular and policy) (static)—In order, until the first match. Static identity NAT is included in this category.

3. Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are allowed.

4. Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the adaptive security appliance.

The tricky part is #2 contains NAT and PAT as well as regular and policy. So there are 4 iterations in that one section. The go in the order they were entered into the config.

CISCO ASA Packet Inspection Sequence

gourav007 — Mon, 05 Mar 2012 08:54:51 GMT

thanks for the update svaish,

in cisco we use interface based NAT means the NAT decisions are taken place on the basis of the firection of traffic, and direction can be found in route means route occurs first and then NAT.

This is what i have seen my hands on experiance.

CISCO ASA Packet Inspection Sequence

svaish — Mon, 05 Mar 2012 09:06:30 GMT

Here is the complete explanation on how a packte is processed through the ASA

Packet is reached at the ingress interface.
Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.
Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access-control list (ACL) check is bypassed, and the packet is moved forward.
If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged.
The packet is processed as per the interface ACLs. It is verified in sequential order of the ACL entries and if it matches any of the ACL entries, it moves forward. Otherwise, the packet is dropped and the information is logged. The ACL hit count will be incremented by one when the packet matches the ACL entry.
The packet is verified for the translation rules. If a packet passes through this check, then a connection entry is created for this flow, and the packet moves forward. Otherwise, the packet is dropped and the information is logged.
The packet is subjected to an Inspection Check. This inspection verifies whether or not this specific packet flow is in compliance with the protocol. Cisco ASA has a built-in inspection engine that inspects each connection as per its pre-defined set of application-level functionalities. If it passed the inspection, it is moved forward. Otherwise, the packet is dropped and the information is logged.
Additional Security-Checks will be implemented if a CSC module is involved.
The IP header information is translated as per the NAT/PAT rule and checksums are updated accordingly. The packet is forwarded to AIP-SSM for IPS related security checks, when the AIP module is involved.
The packet is forwarded to the egress interface based on the translation rules. If no egress interface is specified in the translation rule, then the destination interface is decided based on global route lookup.
On the egress interface, the interface route lookup is performed. Remember, the egress interface is determined by the translation rule that will take the priority.
Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. Layer 2 rewrite of MAC header happens at this stage.
The packet is transmitted on wire, and Interface counters increment on the egress interface.

Steps 7 and 8 are referring to NAT configuration which has its own order of operation which I already explained above.

Regards,

Sachin

https://supportforums.cisco

secureIT — Tue, 01 Apr 2014 18:19:34 GMT

https://supportforums.cisco.com/discussion/11788851/cisco-asa-traffic-flow

Well this was the doc i prepared.