Cisco ASA 9.1 Order Of Operation

Mohammed Ashraf Ali · ‎02-15-2016

Hi All,

I have Cisco ASA firewall running 9.1 ios, with IPSec tunnel terminated on Outside interface which is up, the interesting traffic from other side peer is sourced with 192.168.10.2 to destination 172.16.10.2, And the ip 172.16.10.2 is Static NAT with 10.10.10.2 (Outside to Inside interfaces) at my End.

So Can some body Please explain me below points in this scenario.

1. what is Order of operation or Packet Flow for ASA 9.1 on outside interface with IPSec tunnel terminated on it.

2. Should my Access list on outside interface be with source 192.168.10.2 to Destination 10.10.10.2 ? , if i want to apply a filter.

Thanks in Advance.

Ali.

Mohammed Ashraf Ali · ‎02-15-2016

Can some body Please explain

Marvin Rhoads · ‎02-15-2016

With an IPsec VPN, your outside interface will never see the true (inner) addresses as they are all wrapped in the encrypted packets.

An established tunnel equals an established connection so access-lists on the outside interface will not be considered.

As it comes in on an established tunnel as encapsulated traffic, the interface will hand it off for decryption and inspection, the latter per any class maps and policy maps you have configured.

When it proceeds to the egress interface any additional NAT will take place before the packet is sent out the appropriate interface considering any routing and outbound ACL.