Solved: ACL or Routing first

mahesh18 · ‎07-10-2015

Hi everyone,

I am trying to check routing for traffic flow from source to destination.

When traffic is hitting the firewall say interface inside then i do sh run route

i noticed firewall has no static route to destination subnet.

So in this case will firewall create any log message?

So need to know when traffic is coming from inside interface of firewall and say it has to go to destination subnet 10.10.10.1 on port 445 and there is

no routing in place for 10.10.10.1 Will firewall check routing first or ACL?

Regards

Mahesh

Mark Mc Nicholas · ‎07-10-2015

Hi

I think this document may answer your question

http://www.cisco.com/image/gif/paws/113396/asa-packet-flow-00.pdf

View solution in original post

Marius Gunnerud · ‎07-11-2015

The ASA firewall will first check to see if there already is a connection for the traffic in the state table, If there is no existing connection it will then check the ACL, then routing table.

If you want to see the packet flow through the ASA you could do a packet-tracer which will show you exactly the flow of a packet...with the exception of the checking the state table.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts