CCIE or Null!

My journey to CCIE!

Packet flow through a Cisco ASA.

with 16 comments

As I was reading my Cisco Firewalls book I found this picture (very early on to) concerning how a Cisco ASA handles traffic passing through the device and the logic behind it. it’s a chart worth paying attention to in my opinion. I mean we are going to be practical here, you are not going to run off and debug ip packet for every ASA issue you run into but knowing and understanding the flow chart below will surely give you an edge when troubleshooting ASA connectivity issues.

Now looking this at first glance might be slightly intimidating but in the end this is nothing more than a flow chart. Now, as you follow this flow chart much of the actions will seem like common sense:

  • If the ASA does not have a route to the destination the traffic gets dropped. (Of course)
  • If the traffic is denied by an ACL it gets dropped. (As we would expect)
  • If an Inspect rule is configured to drop the it get dropped. (Once again, as we would expect)

What I think makes this flow chart most valuable is the fact you see in which order these rules are applied looking at the flow chart we see the following order:

  1. ACL’s will be checked first.
  2. NAT rules will checked second.
  3. Inspect policies will applied next.
  4. Then after all that the packet enters IPS-AIM Module for inspection, after that it leaves through the egress interface.

Written by Stephen J. Occhiogrosso

November 15, 2011 at 7:25 AM

16 Responses

Subscribe to comments with RSS.

  1. hi
    What does the L2 address resolvable means ? and also it means even there if there is an existing connection the packet would be inspected ??


    December 5, 2011 at 3:53 AM

  2. L2 Resolvable address, would be referring the IP Address to a legitimate MAC address. Basically verifying 2 connectivity. (Think arp/mac table)

    An existing connection will be referring to an established TCP connection. Since the connection is already established we know the following: 1. Routing is there 2. The traffic is allowed 3. an existing NAT translation is in the table.

    The traffic will still be inspected because the payload is always changing (let’s think HTTP in this case) when users browse a web page the packet data/payload will contain the contents of the webpage, for proper security each packet should be inspected for something malicious. So it only makes sense the packet is only inspected.

    Hope this clears everything up.


    December 5, 2011 at 11:04 PM

  3. Hi,

    The flow of traffic in this diagram is it base on high to low or low to high security network, and also what ASA ver is this diagram based on.

    The reason for this is process 4 (NAT rules)

    The example below is from a low to a high security network
    In ASA ver 8.2 and higher you now use the :”Real” address of the server in the ACL and not the NAT address as in previous version. This means then that the NAT rule must be process before the ACL –

    The example below is from a high to a low security network
    if the traffic was from a high to low security zone this diagram make sence as the ACL will be needed to allow the traffic inbount into the ingress interface and then be NAT from the “Real” address to the NAT address.



    September 27, 2012 at 8:52 AM

    • After reviewing the Cisco Firewalls book again, the configurations were based on 8.2 not the newer 8.3+ NAT configuration.From a lower security level to a higher security level.

      Also you are correct about how 8.3 and newer process NAT and ACLs!

      Stephen J. Occhiogrosso

      September 27, 2012 at 6:22 PM

  4. Hi. What does the “Address translation rule exists” means?
    Thanks for advance.


    October 21, 2012 at 12:53 PM

  5. Thank you Willie. I red a little about nat control yesterday and i understood it)) thank you for links about nat, i wiil read them. Is this scheme for asa 8.2 and earlier versions? In my GNS’s ASA 8.0 nat control disabled by default)))


    October 22, 2012 at 3:53 PM

  6. […] before encryption, after encryption, or is encrypted traffic bypassed? I did a post about the packet flow through a Cisco ASA some time ago and it did mention the IPS is involved after NATs, application inspection, and even […]

  7. Hi Folks,
    Can any body clarify the traffic coming from outside to inside? and also please tell me the NAT priority, which NAT will take high priority [ex Static,Dynamic, Nat0 etc.]

    Maheswaran Rajendiran

    April 1, 2013 at 10:32 AM

  8. i don’t think this flow will work in case of destination NAT….


    April 11, 2013 at 2:22 AM

  9. where is the Source Route (PBR) check?


    November 22, 2013 at 1:02 AM

  10. […] is only slightly different from how the existing IPS Module inspects traffic from ASA. In regards to the flow […]

  11. possible for anyone to share the packet flow of version 8.3 & above ?. tried to findout on many place but no success

    Sanjay Chaudhary

    August 18, 2017 at 1:00 AM

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: