ASA Software Order of Operations

Answered Question
Jul 24th, 2009

I'm trying to find a chart or something that identifies the order of operations ASA goes through when traffic passes through the appliance. I've found various info already but nothing the explains to me the specific point the decision is made to not let traffic pass from higher-trusted interface to lower-trusted interface. When does it evaluate access-lists relative to security-levels? When does it make a routing decision relative to security-levels.

Thanks for any info

I have this problem too.
0 votes
Correct Answer by Roman Rodichev about 7 years 4 months ago

Here's an example:

fwasa01# packet-tracer input outside tcp 5.5.5.5 1024 172.16.64.101 22

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.16.64.0 255.255.240.0 inside <<<< routing wants to route the packet from outside to inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule <<<<<< outside interface has an inbound ACL which doesn't mention "172.16.64.0" network, so the implicit-deny will drop it

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So to answer your question, when packet flows from low-trust to high-trust it goes like this:

1. route

2. check ACL <<< if no match, drop. ACL is required if going from low-trust to high-trust. If no ACL is configured, and this is inbound session, the packet is dropped. ACL is not required if going from high-trust to low-trust

3a. if nat-control is off (default): try to find matching nat/static or existing flow (there are a few things here depending on where the session initiated from), if no nat found config found, route the packet without nat

3b. if nat-control is on: there must be nat/static or existing flow

there are other components, but those are the important ones

Regards,

Roman

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Roman Rodichev Fri, 07/24/2009 - 11:08

Did you try using CLI "packet-tracer input ...." to simulate a packet travelling through ASA. It will show you exactly what happens. Sorry if you knew about it already!

Regards,

Roman

mikedeyoung Fri, 07/24/2009 - 16:36

No I was not aware of that command thank you.!

Do you know at which phase is the decision to not let traffic pass from low-trust to high-trust interface?

Correct Answer
Roman Rodichev Fri, 07/24/2009 - 16:44

Here's an example:

fwasa01# packet-tracer input outside tcp 5.5.5.5 1024 172.16.64.101 22

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.16.64.0 255.255.240.0 inside <<<< routing wants to route the packet from outside to inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule <<<<<< outside interface has an inbound ACL which doesn't mention "172.16.64.0" network, so the implicit-deny will drop it

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So to answer your question, when packet flows from low-trust to high-trust it goes like this:

1. route

2. check ACL <<< if no match, drop. ACL is required if going from low-trust to high-trust. If no ACL is configured, and this is inbound session, the packet is dropped. ACL is not required if going from high-trust to low-trust

3a. if nat-control is off (default): try to find matching nat/static or existing flow (there are a few things here depending on where the session initiated from), if no nat found config found, route the packet without nat

3b. if nat-control is on: there must be nat/static or existing flow

there are other components, but those are the important ones

Regards,

Roman

Actions

This Discussion