https://community.cisco.com/t5/network-security/asa-packet-tracer/m-p/1370511#M719536 <HTML><HEAD></HEAD><BODY><P>Here you go:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/application/pdf/paws/71871/asa-pix-troubleshooting.pdf">http://www.cisco.com/application/pdf/paws/71871/asa-pix-troubleshooting.pdf</A></P></BODY></HTML> Mon, 05 Apr 2010 11:43:45 GMT Jennifer Halim 2010-04-05T11:43:45Z https://community.cisco.com/t5/network-security/asa-packet-tracer/m-p/1370508#M719530 <P>Hi,</P><P></P><P>&nbsp;&nbsp; Can anybody please&nbsp; help me to understand the <STRONG>packet tracer</STRONG> output of ASA well explainied.&nbsp; Any well explained link/URL&nbsp; will be very helpful.&nbsp; I want to clearly understand the process happening in each step when a packet travel from one interface to another interface of ASA.</P><P></P><P></P><P>Also&nbsp; please tell me the order of NAT and Route performed in the case of&nbsp; inside to outside and outside to inside( Which one is done at first in each case)</P><P></P><P>Thanks &amp; Regards</P><P></P><P>Joy</P><P></P><P>( I will defenitely rate helpful posts)</P> Mon, 11 Mar 2019 17:29:01 GMT https://community.cisco.com/t5/network-security/asa-packet-tracer/m-p/1370508#M719530 Jithesh K Joy 2019-03-11T17:29:01Z https://community.cisco.com/t5/network-security/asa-packet-tracer/m-p/1370509#M719532 <HTML><HEAD></HEAD><BODY><P>Take a look at the packet tracer section of this document:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00807c35e7.shtml">http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00807c35e7.shtml</A></P><P></P><P>Basically, it goes through the packet lifecycle from when it arrives on the interface all the way before it left the interface. If the result shows "ALLOW", it means it passes through that particular phase, and it will show "DENY" if it fails on that particular phase.</P><P></P><P>NAT order of operation on ASA:</P><P>1) NAT exemption (NAT 0 with ACL)</P><P>2) Static NAT and PAT</P><P>3) Dynamic NAT and PAT</P><P></P><P>From inside to outside:</P><P>- It will check the inside ACL first, and it should match the ip address/subnet before it is getting translated.</P><P>- It will then check where is the destination traffic, and translate packet accordingly as per the translation pair created, ie: whether it is "static (inside,outside)" OR/ "nat (inside) and global (outside) pair".</P><P></P><P>From outside to inside:</P><P>- It will check the outside ACL first, and it should match the ip address/subnet before it is getting translated back. For example: if translation from public to private ip is configured, the ACL should match the public ip address (This is true for ASA version 8.2 and earlier).</P><P>- Then as above, it will untranslate the ip address back from public to private.</P><P></P><P>There is a whole complete transformation of NAT and ACL on ASA version 8.3.</P><P></P><P>Hope the information helps.</P></BODY></HTML> Mon, 05 Apr 2010 08:34:09 GMT https://community.cisco.com/t5/network-security/asa-packet-tracer/m-p/1370509#M719532 Jennifer Halim 2010-04-05T08:34:09Z https://community.cisco.com/t5/network-security/asa-packet-tracer/m-p/1370510#M719534 <HTML><HEAD></HEAD><BODY><P>HI,</P><P></P><P>&nbsp; Thank you . If you don't mind, could you please send me the file(URL) to my email ID <A href="mailto:jitheshkjoy@gmail.com">jitheshkjoy@gmail.com</A> becoz that URL is not accessible for my Login ( Forbidden)</P><P></P><P>Regards</P><P></P><P>Jithesh</P></BODY></HTML> Mon, 05 Apr 2010 11:24:17 GMT https://community.cisco.com/t5/network-security/asa-packet-tracer/m-p/1370510#M719534 Jithesh K Joy 2010-04-05T11:24:17Z https://community.cisco.com/t5/network-security/asa-packet-tracer/m-p/1370511#M719536 <HTML><HEAD></HEAD><BODY><P>Here you go:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/application/pdf/paws/71871/asa-pix-troubleshooting.pdf">http://www.cisco.com/application/pdf/paws/71871/asa-pix-troubleshooting.pdf</A></P></BODY></HTML> Mon, 05 Apr 2010 11:43:45 GMT https://community.cisco.com/t5/network-security/asa-packet-tracer/m-p/1370511#M719536 Jennifer Halim 2010-04-05T11:43:45Z