cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4026
Views
0
Helpful
3
Replies

ASA packet tracer

Jithesh K Joy
Level 1
Level 1

Hi,

   Can anybody please  help me to understand the packet tracer output of ASA well explainied.  Any well explained link/URL  will be very helpful.  I want to clearly understand the process happening in each step when a packet travel from one interface to another interface of ASA.

Also  please tell me the order of NAT and Route performed in the case of  inside to outside and outside to inside( Which one is done at first in each case)

Thanks & Regards

Joy

( I will defenitely rate helpful posts)

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Take a look at the packet tracer section of this document:

http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00807c35e7.shtml

Basically, it goes through the packet lifecycle from when it arrives on the interface all the way before it left the interface. If the result shows "ALLOW", it means it passes through that particular phase, and it will show "DENY" if it fails on that particular phase.

NAT order of operation on ASA:

1) NAT exemption (NAT 0 with ACL)

2) Static NAT and PAT

3) Dynamic NAT and PAT

From inside to outside:

- It will check the inside ACL first, and it should match the ip address/subnet before it is getting translated.

- It will then check where is the destination traffic, and translate packet accordingly as per the translation pair created, ie: whether it is "static (inside,outside)" OR/ "nat (inside) and global (outside) pair".

From outside to inside:

- It will check the outside ACL first, and it should match the ip address/subnet before it is getting translated back. For example: if translation from public to private ip is configured, the ACL should match the public ip address (This is true for ASA version 8.2 and earlier).

- Then as above, it will untranslate the ip address back from public to private.

There is a whole complete transformation of NAT and ACL on ASA version 8.3.

Hope the information helps.

View solution in original post

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

Take a look at the packet tracer section of this document:

http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00807c35e7.shtml

Basically, it goes through the packet lifecycle from when it arrives on the interface all the way before it left the interface. If the result shows "ALLOW", it means it passes through that particular phase, and it will show "DENY" if it fails on that particular phase.

NAT order of operation on ASA:

1) NAT exemption (NAT 0 with ACL)

2) Static NAT and PAT

3) Dynamic NAT and PAT

From inside to outside:

- It will check the inside ACL first, and it should match the ip address/subnet before it is getting translated.

- It will then check where is the destination traffic, and translate packet accordingly as per the translation pair created, ie: whether it is "static (inside,outside)" OR/ "nat (inside) and global (outside) pair".

From outside to inside:

- It will check the outside ACL first, and it should match the ip address/subnet before it is getting translated back. For example: if translation from public to private ip is configured, the ACL should match the public ip address (This is true for ASA version 8.2 and earlier).

- Then as above, it will untranslate the ip address back from public to private.

There is a whole complete transformation of NAT and ACL on ASA version 8.3.

Hope the information helps.

HI,

  Thank you . If you don't mind, could you please send me the file(URL) to my email ID jitheshkjoy@gmail.com becoz that URL is not accessible for my Login ( Forbidden)

Regards

Jithesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: