Packet flow through a Cisco ASA.
As I was reading my Cisco Firewalls book I found this picture (very early on to) concerning how a Cisco ASA handles traffic passing through the device and the logic behind it. it’s a chart worth paying attention to in my opinion. I mean we are going to be practical here, you are not going to run off and debug ip packet for every ASA issue you run into but knowing and understanding the flow chart below will surely give you an edge when troubleshooting ASA connectivity issues.
Now looking this at first glance might be slightly intimidating but in the end this is nothing more than a flow chart. Now, as you follow this flow chart much of the actions will seem like common sense:
- If the ASA does not have a route to the destination the traffic gets dropped. (Of course)
- If the traffic is denied by an ACL it gets dropped. (As we would expect)
- If an Inspect rule is configured to drop the it get dropped. (Once again, as we would expect)
What I think makes this flow chart most valuable is the fact you see in which order these rules are applied looking at the flow chart we see the following order:
- ACL’s will be checked first.
- NAT rules will checked second.
- Inspect policies will applied next.
- Then after all that the packet enters IPS-AIM Module for inspection, after that it leaves through the egress interface.
CCIE or Null! 
hi
What does the L2 address resolvable means ? and also it means even there if there is an existing connection the packet would be inspected ??
Ramanathan
December 5, 2011 at 3:53 AM
L2 Resolvable address, would be referring the IP Address to a legitimate MAC address. Basically verifying 2 connectivity. (Think arp/mac table)
An existing connection will be referring to an established TCP connection. Since the connection is already established we know the following: 1. Routing is there 2. The traffic is allowed 3. an existing NAT translation is in the table.
The traffic will still be inspected because the payload is always changing (let’s think HTTP in this case) when users browse a web page the packet data/payload will contain the contents of the webpage, for proper security each packet should be inspected for something malicious. So it only makes sense the packet is only inspected.
Hope this clears everything up.
steveocch
December 5, 2011 at 11:04 PM
Hi,
The flow of traffic in this diagram is it base on high to low or low to high security network, and also what ASA ver is this diagram based on.
The reason for this is process 4 (NAT rules)
The example below is from a low to a high security network
In ASA ver 8.2 and higher you now use the :”Real” address of the server in the ACL and not the NAT address as in previous version. This means then that the NAT rule must be process before the ACL –
The example below is from a high to a low security network
if the traffic was from a high to low security zone this diagram make sence as the ACL will be needed to allow the traffic inbount into the ingress interface and then be NAT from the “Real” address to the NAT address.
Thanks
Willie
September 27, 2012 at 8:52 AM
After reviewing the Cisco Firewalls book again, the configurations were based on 8.2 not the newer 8.3+ NAT configuration.From a lower security level to a higher security level.
Also you are correct about how 8.3 and newer process NAT and ACLs!
Stephen J. Occhiogrosso
September 27, 2012 at 6:22 PM
Hi. What does the “Address translation rule exists” means?
Thanks for advance.
Peter
October 21, 2012 at 12:53 PM
Must it translated? Why? There are cases when address needn’t any translation. Why must packet drop?
PS: I’m sorry for my English.
Peter
October 21, 2012 at 11:52 PM
Hi Peter,
there is not just one answer to you question – the best will be is to understand NAT for ver 7.2 and Ver 8.3 and up. There is differnces between the two
Also read up on the fuction “NAT control” this is a legasy function but has a big impact and your NAT Settings
Below is the link for NAT ver 7.2
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1065218
Below is the link for NAT ver 8.3 and up
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html
hope this helps
Willie
October 22, 2012 at 3:12 AM
Willie, thank you. Is this scheme for ASA 8.2 and earlier, isn’t this? Please, can you give me scheme for NAT 8.3 and later? i haven’t found it in Internet.
Thanks in advance.
Peter
October 23, 2012 at 12:55 AM
Thank you Willie. I red a little about nat control yesterday and i understood it)) thank you for links about nat, i wiil read them. Is this scheme for asa 8.2 and earlier versions? In my GNS’s ASA 8.0 nat control disabled by default)))
Peter
October 22, 2012 at 3:53 PM
[…] before encryption, after encryption, or is encrypted traffic bypassed? I did a post about the packet flow through a Cisco ASA some time ago and it did mention the IPS is involved after NATs, application inspection, and even […]
When does the Cisco ASA IPS module inspect traffic? « CCIE or Null!
December 28, 2012 at 12:35 PM
Hi Folks,
Can any body clarify the traffic coming from outside to inside? and also please tell me the NAT priority, which NAT will take high priority [ex Static,Dynamic, Nat0 etc.]
Maheswaran Rajendiran
April 1, 2013 at 10:32 AM
i don’t think this flow will work in case of destination NAT….
Rohit
April 11, 2013 at 2:22 AM
where is the Source Route (PBR) check?
VinU
November 22, 2013 at 1:02 AM
PBR was introduced later in v9.x I believe this packet flow diagram refers to the older 8.2 packet flow model.
Stephen J. Occhiogrosso
November 22, 2013 at 7:44 AM
[…] is only slightly different from how the existing IPS Module inspects traffic from ASA. In regards to the flow […]
Packet Flow with FirePower. | CCIE or Null!
December 10, 2014 at 9:01 AM
possible for anyone to share the packet flow of version 8.3 & above ?. tried to findout on many place but no success
Sanjay Chaudhary
August 18, 2017 at 1:00 AM