Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1036
Views
30
Helpful
9
Replies

ASA IOS 8.3 policy order-- 1. NAT, then...2. ACL, then... 3. ?

Go to solution
jmaxwellUSAF
VIP
VIP

‎02-13-2023 02:11 PM

Hello.

Within an ASA-5525, the IOS 8.3 or later order of execution of policy-- Is it...

1. NAT, then...2. ACL, then... 3. (I forget the term-- it refers to when the NAT policy is executed lower in the order.)?

May you clarify, and answer my question?

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-13-2023 02:44 PM

here is the packet flow from cisco live :

balajibandi_0-1676328148946.png

you can find the reference  here :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
jmaxwellUSAF
VIP
VIP
In response to balaji.bandi

‎02-13-2023 02:59 PM

This is EXACTLY what I was looking for, though some questions remain...

May you please also explain the "third policy rule"-- It has to do with "nested" "or "conditional" (or something like that). It has to do with NAT or PAT translations. What is the name of this 3rd rule? What is the priority order of this 3rd rule? (It might be in the link from the text Cisco ASA Software Version 8.3 and later, but the link refers to many hundreds of pages of text.)

From your link-- "Cisco ASA has a built-in inspection engine that inspects each connection as per its pre-defined set of application-level functionality."-- What is the command to remove this "inspection engine"?

Thank you.

Go to solution
MHM Cisco World
VIP
VIP
In response to jmaxwellUSAF

‎02-13-2023 03:13 PM

why you want to remove inspection engine ??

0 Helpful

Go to solution
jmaxwellUSAF
VIP
VIP
In response to MHM Cisco World

‎02-13-2023 03:45 PM

troubleshooting.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to jmaxwellUSAF

‎02-14-2023 03:10 AM

Not sure you can to packet tracer see what is happening if you have ASA 8.3 code, I stopped using that code more than 10 years now.

 

check this another view :

balajibandi_1-1676372992634.png

 

What is the command to remove this "inspection engine"?  - the mode you mentioned does not have IPS module like SFR,  are you looking to policy inspect ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
jmaxwellUSAF
VIP
VIP
In response to balaji.bandi

‎02-14-2023 05:50 AM - edited ‎02-14-2023 06:24 AM

The data on this thread is invaluable. Thank you all.

This ASA has a long config. What is the best way to policy inspect?

Also, please see image attached. If the packet is dropped because of IPS module fail, then what command will show that packet was dropped? (#show asp drop , #{other command} ?)

Preview file
134 KB
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to jmaxwellUSAF

‎02-14-2023 08:04 AM

Not like re-invent the wheel you can find many documents around for the best practice is based on the organisation's requirement.

https://community.cisco.com/t5/network-security/traffic-inspection-best-practices/td-p/1932294

the best practice is you need to be up to the level of security patches to meet first, so start from ASA 8.3 decade back end of life, so there are lot more security holes in that, before we consider best practice, make sure we are up to date.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
MHM Cisco World
VIP
VIP
In response to jmaxwellUSAF

‎02-14-2023 08:52 AM

show asp drop <<- this good indication 

asa# show service-policy inspect <<protocol inspect>> 

Global policy: 
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 0, lock fail 0, drop 0, reset-drop 0, 
5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
        message-length maximum client auto, drop 0
        message-length maximum 512, drop 0
        dns-guard, count 0
        protocol-enforcement, drop 0
        nat-rewrite, count 0
Customers Also Viewed These Support Documents