Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1102
Views
0
Helpful
1
Replies

ASA/PIX traffic order

liangoooo
Level 1
Level 1

‎01-01-2010 09:18 AM - edited ‎03-11-2019 09:53 AM

Try to understand ASA/PIX traffic order.

For example, inbound traffic (non management traffic) will go through flow check,  inbound access-list, nat , filter, outbound access-list, etc.

And if it's returned traffic and session is existed, what the firewall will do next?  Simply bypass access-list but still apply NAT?  Anything else the firewall will do?

Please share your thought.  Thanks.

Labels:
0 Helpful
1 Reply 1

vilaxmi
Cisco Employee
Cisco Employee

‎01-01-2010 12:40 PM

For any inbound traffic (all packets) , i.e. from LOWER security-level to HIGHER security-level here is the order of operation on Cisco firewalls :

  1. Access-list check
  2. Any policing/shaping applied for QOS.
  3. NAT
  4. Route table lookup

For any outbound traffic  (all packets)  , i.e. from HIGHER security-level to LOWER  security-level here is the order of operation on Cisco firewalls :

  1. Access-list check
  2. Any policing/shaping applied for QOS
  3. Route table lookup
  4. NAT

Here is  order of preference for NAT :

1.NAT0

2.Policy static NAT

3.Policy NAT

4. Static PAT

5. Static NAT

6.Dynamic NAT

In answer to your 2nd question : what will ASA do if session is already existing , will it bypass ACL check or NAT etc..

We need to remember that Cisco ASA (Adaptive Security Appliance) remembers the state of connection until it is finished by parties involved. Also, a NAT translation built by ASA does not timeout until 3 hours (default xlate timeout timer) for a specific flow. Moreover NAT xlate is built PER FLOW and NOT per packet by firewall. After doing all initial checks once, the session is setup & firewall (being adaptive) will not do any more checks for return traffic, because it remembers the connection.

Here is a useful link for you :-

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Feel free to let me know if you have any more questions.

HTH

Vijaya

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card