ASA packet tracer

Answered Question
Apr 5th, 2010

Hi,

   Can anybody please  help me to understand the packet tracer output of ASA well explainied.  Any well explained link/URL  will be very helpful.  I want to clearly understand the process happening in each step when a packet travel from one interface to another interface of ASA.

Also  please tell me the order of NAT and Route performed in the case of  inside to outside and outside to inside( Which one is done at first in each case)

Thanks & Regards

Joy

( I will defenitely rate helpful posts)

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 9 months ago

Take a look at the packet tracer section of this document:

http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00807c35e7.shtml

Basically, it goes through the packet lifecycle from when it arrives on the interface all the way before it left the interface. If the result shows "ALLOW", it means it passes through that particular phase, and it will show "DENY" if it fails on that particular phase.

NAT order of operation on ASA:

1) NAT exemption (NAT 0 with ACL)

2) Static NAT and PAT

3) Dynamic NAT and PAT

From inside to outside:

- It will check the inside ACL first, and it should match the ip address/subnet before it is getting translated.

- It will then check where is the destination traffic, and translate packet accordingly as per the translation pair created, ie: whether it is "static (inside,outside)" OR/ "nat (inside) and global (outside) pair".

From outside to inside:

- It will check the outside ACL first, and it should match the ip address/subnet before it is getting translated back. For example: if translation from public to private ip is configured, the ACL should match the public ip address (This is true for ASA version 8.2 and earlier).

- Then as above, it will untranslate the ip address back from public to private.

There is a whole complete transformation of NAT and ACL on ASA version 8.3.

Hope the information helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Mon, 04/05/2010 - 01:34

Take a look at the packet tracer section of this document:

http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00807c35e7.shtml

Basically, it goes through the packet lifecycle from when it arrives on the interface all the way before it left the interface. If the result shows "ALLOW", it means it passes through that particular phase, and it will show "DENY" if it fails on that particular phase.

NAT order of operation on ASA:

1) NAT exemption (NAT 0 with ACL)

2) Static NAT and PAT

3) Dynamic NAT and PAT

From inside to outside:

- It will check the inside ACL first, and it should match the ip address/subnet before it is getting translated.

- It will then check where is the destination traffic, and translate packet accordingly as per the translation pair created, ie: whether it is "static (inside,outside)" OR/ "nat (inside) and global (outside) pair".

From outside to inside:

- It will check the outside ACL first, and it should match the ip address/subnet before it is getting translated back. For example: if translation from public to private ip is configured, the ACL should match the public ip address (This is true for ASA version 8.2 and earlier).

- Then as above, it will untranslate the ip address back from public to private.

There is a whole complete transformation of NAT and ACL on ASA version 8.3.

Hope the information helps.

Actions

This Discussion