Showing results for 
Search instead for 
Did you mean: 

ASA packet flow / order of operation

Frequent Contributor
Frequent Contributor


Been reading the following info -

Can someone advise when the Security-Level of an interface is checked during the packet flow? Is this done at the start, e.g part of step 3 in the link provided?

Taken from the page..
I know traffic can't move from a low to high without a specific ACL, but at what point does the ASA check the security level of the incoming interface and destination interface of the packet before deciding if it's allowed or not based on that alone.


Here are the individual steps in detail:


Thank You

  1. Packet is reached at the ingress interface.

  2. Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.

  3. Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access-control list (ACL) check is bypassed, and the packet is moved forward.

    If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged

1 Reply 1


I can't say for certain, but based on packet tracers I remember I believe it would be dropped during the ACL check and it would say dropped by "implicit rule". So my guess would be Step 4. If you have access to a test system I would recommend testing it with a packet tracer, it might shed some light on it for you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers