Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12187
Views
20
Helpful
6
Replies

Cisco ASA 9.X Packet flow

Go to solution
MoulaAli480
Level 1
Level 1

‎10-30-2021 07:45 AM

Hello,

 

Could someone please help with Cisco ASA 9.X Packet flow. And also what is the exact difference between veriosn 8.2 and 9.X.

 

Regards,

Moula Ali

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to MoulaAli480

‎10-31-2021 08:46 AM

That is high level i have provided,  if there is no NAT it go in to ACL Process. ( or am i confused here with question ?)

 

image.png

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-30-2021 11:14 AM

ASA  packet flow as below :

 

image.png

 

ASA  8.2 to 9.X  Many changed , you can view by release :

 

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
MoulaAli480
Level 1
Level 1
In response to balaji.bandi

‎10-30-2021 07:33 PM

Hi Balaji,

Thanks for the explanation.

But I see in the latest versions packet tracer after the ingress interface
packet reaches it is checking nat first. Could you please confirm on this
one.

Regards,
Moula Ali
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to MoulaAli480

‎10-31-2021 08:17 AM 

latest versions packet tracer

Simulator or Packet Tracer of ASA ? please clarify and show is the output if you can.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MoulaAli480
Level 1
Level 1
In response to balaji.bandi

‎10-31-2021 08:25 AM

Hello Balaji,

Sorry I don't have lab to show packet tracer output. My query is simple and
clear ASA packet flow of latest version 9.x. I could not see NAT
untranslate step in your explanation.

Regards,
Moula Ali
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to MoulaAli480

‎10-31-2021 08:46 AM

That is high level i have provided,  if there is no NAT it go in to ACL Process. ( or am i confused here with question ?)

 

image.png

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
IEbound
Level 1
Level 1

‎05-16-2023 06:58 AM

5/16/2023 Update to keep this current and hopefully assist.

Balaji had a good question about packet tracer. This data is from Cisco Modeling Labs (CML) 2.5 with the ASA v9.18(2) (System image file is "boot:/asa9182-smp-k8.bin"). The order below shows it depends if you are going from high security-level to low or if it's low to high as might be expected. Access lists are required low to high, but the traffic send high to low is permitted without them, so no check is made below.

Attached is a summary after which the full details (standard not detailed) are shown for further analysis for reviewers. These are for allowed traffic. It looks like the diagram above is good. A few more details are shown in the data, but nice work Balaji! 

OUTSIDE to INSIDE: packet-tracer input outside icmp 150.1.35.5 8 0 150.1.55.8

Phase:
1 ROUTE-LOOKUP
2 ACCESS-LIST
3 NAT
4 IP-OPTIONS
5 QOS
6 INSPECT
7 FLOW-CREATION
8 ACCESS-LIST
9 NAT
10 IP-OPTIONS
11 INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
12 ADJACENCY-LOOKUP

Result:
Action: allow

INSIDE TO OUTSIDE: packet-tracer input inside icmp 150.1.55.8 8 0 150.1.35.5

Phase:
1 ROUTE-LOOKUP
2 NAT
3 IP-OPTIONS
4 QOS
5 INSPECT
6 FLOW-CREATION
7 NAT
8 IP-OPTIONS
9 INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
10 ADJACENCY-LOOKUP

Result:
Action: allow

 

 

Preview file
5 KB
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card