cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
452
Views
0
Helpful
3
Replies

Need to know the order in which a packet is analyzed by a PIX\ASA

sr1451556
Level 1
Level 1

For troubleshooting purposes and to answer numerous questions from our clients, need to know the order in which a packet is analyzed by a PIX\ASA.

What are the steps involved when a

packet enters a fw and leaves it.

So I did some research and came up with this sequence. Please suggest

corrections if you see a mistake. It is always good to have this kind

of summary handy.

Summary of Basic PIX\ASA Inspection Sequence and Operations:

The PIX\ASA inspection sequence is performed as follows:

1. As a packet enters an interface, the PIX evaluates the security

level for the source and destination interfaces. A low-to-high is

allowed only if there is an access-list that allows the connection and

a high-to-low is allowed by default unless a specific access-list

denies it. It there are ACL's present, the packet is checked against

these here.

2. Then the packet is checked against the stateful connection table.

If the packet is part of an already established connection, then it is

passed forward in order to be routed out and eventually translated if

specified. If the packet is identified as part of a new session, it

is passed to the ASA that performs the inbound network translation

(destination NAT).

3. ASA performs the inbound network translation (destination NAT) if

applicable.

4. The ASA updates the connections table with the packet's connection

state and the timers are started for that session.

5. The packet is checked against the Inspections database to

determine if the connection requires application-level inspection.

(checks to see if it needs a Fixup)

6. The packet gets routed to the interface designated by the routing

table.

7. At the exit interface, the source translation is performed, if

specified by using global statements and nat groups.

8. The packet is sent to the next hop router in the routing table or

to the final destination if it is present in the local firewall's

subnets.

So does it look good or any comments please?

Jim

3 Replies 3

Anthony Holloway
Cisco Employee
Cisco Employee

How did you come up with this? I have seen an official Cisco doc on this, but ATM I cannot find it again.

Anyone have a link?

I came up with searching for "how a pix works"

I don't have the link at the moment but others have said this looks ok, but just wanted to run it past the experts

One good link is:

http://www.enterastream.com/whitepapers/cisco/pix/pix-practical-guide.html

jheary
Cisco Employee
Cisco Employee

The answer to your question is included as part of the ASDM gui for PIX and ASA. It is called packet tracer. it can be found under the tools menu, or the access rules area, or by right clicking on any ACE or NAT or policy rule and selecting packet trace. This GUI tool will run you through, in order, every decision, lookup, and result that ASA/PIX will make on a particular flow. Hope this solves your issue.

BTW packet trace is also availabe via CLI but the GUI is so much more fun!

-Jamey

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: