Can anybody please help me to understand the packet tracer output of ASA well explainied. Any well explained link/URL will be very helpful. I want to clearly understand the process happening in each step when a packet travel from one interface to another interface of ASA.
Also please tell me the order of NAT and Route performed in the case of inside to outside and outside to inside( Which one is done at first in each case)
Thanks & Regards
( I will defenitely rate helpful posts)
Take a look at the packet tracer section of this document:
Basically, it goes through the packet lifecycle from when it arrives on the interface all the way before it left the interface. If the result shows "ALLOW", it means it passes through that particular phase, and it will show "DENY" if it fails on that particular phase.
NAT order of operation on ASA:
1) NAT exemption (NAT 0 with ACL)
2) Static NAT and PAT
3) Dynamic NAT and PAT
From inside to outside:
- It will check the inside ACL first, and it should match the ip address/subnet before it is getting translated.
- It will then check where is the destination traffic, and translate packet accordingly as per the translation pair created, ie: whether it is "static (inside,outside)" OR/ "nat (inside) and global (outside) pair".
From outside to inside:
- It will check the outside ACL first, and it should match the ip address/subnet before it is getting translated back. For example: if translation from public to private ip is configured, the ACL should match the public ip address (This is true for ASA version 8.2 and earlier).
- Then as above, it will untranslate the ip address back from public to private.
There is a whole complete transformation of NAT and ACL on ASA version 8.3.
Hope the information helps.