Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
837
Views
5
Helpful
4
Replies

ASA Software Order of Operations

Go to solution
mikedeyoung
Level 1
Level 1

‎07-24-2009 09:04 AM

I'm trying to find a chart or something that identifies the order of operations ASA goes through when traffic passes through the appliance. I've found various info already but nothing the explains to me the specific point the decision is made to not let traffic pass from higher-trusted interface to lower-trusted interface. When does it evaluate access-lists relative to security-levels? When does it make a routing decision relative to security-levels.

Thanks for any info

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Roman Rodichev
Level 7
Level 7
In response to mikedeyoung

‎07-24-2009 04:44 PM

Here's an example:

fwasa01# packet-tracer input outside tcp 5.5.5.5 1024 172.16.64.101 22

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.16.64.0 255.255.240.0 inside <<<< routing wants to route the packet from outside to inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule <<<<<< outside interface has an inbound ACL which doesn't mention "172.16.64.0" network, so the implicit-deny will drop it

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So to answer your question, when packet flows from low-trust to high-trust it goes like this:

1. route

2. check ACL <<< if no match, drop. ACL is required if going from low-trust to high-trust. If no ACL is configured, and this is inbound session, the packet is dropped. ACL is not required if going from high-trust to low-trust

3a. if nat-control is off (default): try to find matching nat/static or existing flow (there are a few things here depending on where the session initiated from), if no nat found config found, route the packet without nat

3b. if nat-control is on: there must be nat/static or existing flow

there are other components, but those are the important ones

Regards,

Roman

View solution in original post

4 Replies 4

Go to solution
Roman Rodichev
Level 7
Level 7

‎07-24-2009 11:08 AM

Did you try using CLI "packet-tracer input ...." to simulate a packet travelling through ASA. It will show you exactly what happens. Sorry if you knew about it already!

Regards,

Roman

0 Helpful

Go to solution
mikedeyoung
Level 1
Level 1
In response to Roman Rodichev

‎07-24-2009 04:36 PM

No I was not aware of that command thank you.!

Do you know at which phase is the decision to not let traffic pass from low-trust to high-trust interface?

0 Helpful

Go to solution
Roman Rodichev
Level 7
Level 7
In response to mikedeyoung

‎07-24-2009 04:44 PM

Here's an example:

fwasa01# packet-tracer input outside tcp 5.5.5.5 1024 172.16.64.101 22

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.16.64.0 255.255.240.0 inside <<<< routing wants to route the packet from outside to inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule <<<<<< outside interface has an inbound ACL which doesn't mention "172.16.64.0" network, so the implicit-deny will drop it

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So to answer your question, when packet flows from low-trust to high-trust it goes like this:

1. route

2. check ACL <<< if no match, drop. ACL is required if going from low-trust to high-trust. If no ACL is configured, and this is inbound session, the packet is dropped. ACL is not required if going from high-trust to low-trust

3a. if nat-control is off (default): try to find matching nat/static or existing flow (there are a few things here depending on where the session initiated from), if no nat found config found, route the packet without nat

3b. if nat-control is on: there must be nat/static or existing flow

there are other components, but those are the important ones

Regards,

Roman

Go to solution
mikedeyoung
Level 1
Level 1
In response to Roman Rodichev

‎07-26-2009 04:38 AM

Thanks Roman.

This answeres my question perfectly.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents