Been reading the following info -
Can someone advise when the Security-Level of an interface is checked during the packet flow? Is this done at the start, e.g part of step 3 in the link provided?
Taken from the page..
I know traffic can't move from a low to high without a specific ACL, but at what point does the ASA check the security level of the incoming interface and destination interface of the packet before deciding if it's allowed or not based on that alone.
Here are the individual steps in detail:
Packet is reached at the ingress interface.
Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.
Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access-control list (ACL) check is bypassed, and the packet is moved forward.
If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged