Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
4
Replies

Order of operations

Go to solution
m.surtees
Level 1
Level 1

‎04-26-2009 08:15 PM - edited ‎03-11-2019 08:23 AM

Can anyone point to a list of traffic flow order or order of operations doco for the ASA 7.2.x

I only seem to be able to find one that relates to IOS CBAC.

I'm trying to answer a client's question (reference needed): Will Inbound encrypted communications be unencrypted and inspected before entering the internal network?

Having the rest of the flow would be useful for reference.

Many thanks,

Mike

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
mdombek_biz
Level 1
Level 1

‎04-27-2009 08:10 AM

I know I've seen the OoP of the ASA some days a go.

Please have a look at Joe Harris 6200networks.com post about OoP:

http://6200networks.com/2008/09/05/asa-order-of-operation/

cheers Michael

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-27-2009 10:05 AM

Mike

In addition to the link posted in the other thread -

"Will Inbound encrypted communications be unencrypted and inspected before entering the internal network?"

It depends on the setting of the "sysopt connection permit-vpn" If it is enabled then after the traffic is unencrypted it bypasses interface acl's. If it is disabled then unencrypted traffic is then checked against the interface acl, see this link for full details -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1198155

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
mdombek_biz
Level 1
Level 1

‎04-27-2009 08:10 AM

I know I've seen the OoP of the ASA some days a go.

Please have a look at Joe Harris 6200networks.com post about OoP:

http://6200networks.com/2008/09/05/asa-order-of-operation/

cheers Michael

0 Helpful

Go to solution
m.surtees
Level 1
Level 1
In response to mdombek_biz

‎04-27-2009 09:38 PM

Thanks Michael,

That will prove very useful for the document. I tried a packet trace to answer my question before I originally posted but I don't have a lab device so could not easily get a flow that included all crypto, NAT, ACLs, and so on on the prod device.

Thanks again

Mike

p.s. I'll come back to rate you

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-27-2009 10:05 AM

Mike

In addition to the link posted in the other thread -

"Will Inbound encrypted communications be unencrypted and inspected before entering the internal network?"

It depends on the setting of the "sysopt connection permit-vpn" If it is enabled then after the traffic is unencrypted it bypasses interface acl's. If it is disabled then unencrypted traffic is then checked against the interface acl, see this link for full details -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1198155

Jon

0 Helpful

Go to solution
m.surtees
Level 1
Level 1
In response to Jon Marshall

‎04-27-2009 10:02 PM

Thanks Jon,

It's on my FW as it's the default. Good reminder though as I'd forgotten about that cmd. It's one of those that's not in the runnning-config and needs a show run sysopt - but you knew that or you wouldn't have been able to help me

Although my clients question could be ambiguous I'm going to take him literally: does it inspect as in application inspection after decrypt?

Unfortunately even the other post from Michael doesn't spell this out, not to me anyway.

Thanks again

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card