07-24-2009 09:04 AM
I'm trying to find a chart or something that identifies the order of operations ASA goes through when traffic passes through the appliance. I've found various info already but nothing the explains to me the specific point the decision is made to not let traffic pass from higher-trusted interface to lower-trusted interface. When does it evaluate access-lists relative to security-levels? When does it make a routing decision relative to security-levels.
Thanks for any info
Solved! Go to Solution.
07-24-2009 04:44 PM
Here's an example:
fwasa01# packet-tracer input outside tcp 5.5.5.5 1024 172.16.64.101 22
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.64.0 255.255.240.0 inside <<<< routing wants to route the packet from outside to inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule <<<<<< outside interface has an inbound ACL which doesn't mention "172.16.64.0" network, so the implicit-deny will drop it
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
So to answer your question, when packet flows from low-trust to high-trust it goes like this:
1. route
2. check ACL <<< if no match, drop. ACL is required if going from low-trust to high-trust. If no ACL is configured, and this is inbound session, the packet is dropped. ACL is not required if going from high-trust to low-trust
3a. if nat-control is off (default): try to find matching nat/static or existing flow (there are a few things here depending on where the session initiated from), if no nat found config found, route the packet without nat
3b. if nat-control is on: there must be nat/static or existing flow
there are other components, but those are the important ones
Regards,
Roman
07-24-2009 11:08 AM
Did you try using CLI "packet-tracer input ...." to simulate a packet travelling through ASA. It will show you exactly what happens. Sorry if you knew about it already!
Regards,
Roman
07-24-2009 04:36 PM
No I was not aware of that command thank you.!
Do you know at which phase is the decision to not let traffic pass from low-trust to high-trust interface?
07-24-2009 04:44 PM
Here's an example:
fwasa01# packet-tracer input outside tcp 5.5.5.5 1024 172.16.64.101 22
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.64.0 255.255.240.0 inside <<<< routing wants to route the packet from outside to inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule <<<<<< outside interface has an inbound ACL which doesn't mention "172.16.64.0" network, so the implicit-deny will drop it
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
So to answer your question, when packet flows from low-trust to high-trust it goes like this:
1. route
2. check ACL <<< if no match, drop. ACL is required if going from low-trust to high-trust. If no ACL is configured, and this is inbound session, the packet is dropped. ACL is not required if going from high-trust to low-trust
3a. if nat-control is off (default): try to find matching nat/static or existing flow (there are a few things here depending on where the session initiated from), if no nat found config found, route the packet without nat
3b. if nat-control is on: there must be nat/static or existing flow
there are other components, but those are the important ones
Regards,
Roman
07-26-2009 04:38 AM
Thanks Roman.
This answeres my question perfectly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide