04-05-2010 01:19 AM - edited 03-11-2019 10:29 AM
Hi,
Can anybody please help me to understand the packet tracer output of ASA well explainied. Any well explained link/URL will be very helpful. I want to clearly understand the process happening in each step when a packet travel from one interface to another interface of ASA.
Also please tell me the order of NAT and Route performed in the case of inside to outside and outside to inside( Which one is done at first in each case)
Thanks & Regards
Joy
( I will defenitely rate helpful posts)
Solved! Go to Solution.
04-05-2010 01:34 AM
Take a look at the packet tracer section of this document:
http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00807c35e7.shtml
Basically, it goes through the packet lifecycle from when it arrives on the interface all the way before it left the interface. If the result shows "ALLOW", it means it passes through that particular phase, and it will show "DENY" if it fails on that particular phase.
NAT order of operation on ASA:
1) NAT exemption (NAT 0 with ACL)
2) Static NAT and PAT
3) Dynamic NAT and PAT
From inside to outside:
- It will check the inside ACL first, and it should match the ip address/subnet before it is getting translated.
- It will then check where is the destination traffic, and translate packet accordingly as per the translation pair created, ie: whether it is "static (inside,outside)" OR/ "nat (inside) and global (outside) pair".
From outside to inside:
- It will check the outside ACL first, and it should match the ip address/subnet before it is getting translated back. For example: if translation from public to private ip is configured, the ACL should match the public ip address (This is true for ASA version 8.2 and earlier).
- Then as above, it will untranslate the ip address back from public to private.
There is a whole complete transformation of NAT and ACL on ASA version 8.3.
Hope the information helps.
04-05-2010 01:34 AM
Take a look at the packet tracer section of this document:
http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00807c35e7.shtml
Basically, it goes through the packet lifecycle from when it arrives on the interface all the way before it left the interface. If the result shows "ALLOW", it means it passes through that particular phase, and it will show "DENY" if it fails on that particular phase.
NAT order of operation on ASA:
1) NAT exemption (NAT 0 with ACL)
2) Static NAT and PAT
3) Dynamic NAT and PAT
From inside to outside:
- It will check the inside ACL first, and it should match the ip address/subnet before it is getting translated.
- It will then check where is the destination traffic, and translate packet accordingly as per the translation pair created, ie: whether it is "static (inside,outside)" OR/ "nat (inside) and global (outside) pair".
From outside to inside:
- It will check the outside ACL first, and it should match the ip address/subnet before it is getting translated back. For example: if translation from public to private ip is configured, the ACL should match the public ip address (This is true for ASA version 8.2 and earlier).
- Then as above, it will untranslate the ip address back from public to private.
There is a whole complete transformation of NAT and ACL on ASA version 8.3.
Hope the information helps.
04-05-2010 04:24 AM
HI,
Thank you . If you don't mind, could you please send me the file(URL) to my email ID jitheshkjoy@gmail.com becoz that URL is not accessible for my Login ( Forbidden)
Regards
Jithesh
04-05-2010 04:43 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: