Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
0
Helpful
2
Replies

Packet processing in ASA

pankaj kumar
Level 1
Level 1

‎11-13-2014 11:01 AM - edited ‎03-11-2019 10:04 PM

Hello Guys,

I am studying packet processing in ASA and i have understood the following: -

Packet processing for 8.0

1. Packet will be received on ingress interface kept in internal buffer, input counter will be incremented.

2. Connection table is checked to check if packet belongs to exiting connection if yes ACL check is skipped and packet is moved to further processing. If packet is not a part of existing connection then if packet is TCP SYN or UDP packet then connection counter is increased and  packet is moved for further processing. Else packet is dropped.

3. Packet is subjected to ACL check if ACL allow the packet then ACL hit count is incremented and packet is moved for further processing. Else packet is dropped and logged.

4. NAT rules are checked and IP header information is changed like Source IP and destination IP are changed and chcek is recalculated and new checksum is inserted in the IP header.

5. Routing table is checked. Layer 2 resolution is performed.

6.Packet is transmitted on wire.

Packet processing for 8.4
Just swap 3 and 4

I want to ask

1. Is above explanation is corrected and complete ?

2. Is this is explanation is same for the packet going from High to Low security level, Low to High security level.

3. Suppose egress interface also have some ACL applied in "out direction" then when that ACL will be checked.

I was reffering the below document. Or Can anyone provide some better detailed explanation i am preparing for interview.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎11-13-2014 12:03 PM

I would simulate different types of communication with the packet-tracer. There you see which actions are done and in which order.

Some points on your list are not absolutely accurate:

2) "then if packet is TCP SYN or UDP packet" should better be "then if packet is TCP SYN or UDP or any not statefully inspected protocol". You also could have things like GRE that gets processed with the next step.

3) The ACL is only used if available. Also think about the default handling with security-levels when there are no ACLs.

4) If there already is a translation, the NAT rules are not checked. Instead the existing translation is used.

0 Helpful

Murali
Level 1
Level 1

‎11-13-2014 07:51 PM

 

ASA Order of Operation IMG

on ASA (5525X) with code 9.1.4 above does not apply .route lookup is being done bore NAT. so it would be step 7 and NAT will go step 8

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card