Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA/PIX Order of Operations

Can Someone put some light on the Order of Operations (what all happnes when paket comes to interface) in ASA/PIX. Is there any difference when direction changes.

Everyone's tags (6)
5 REPLIES
Community Member

Re: ASA/PIX Order of Operations

Perhaps this is what you were looking for?

https://learningnetwork.cisco.com/message/62746

Re: ASA/PIX Order of Operations

Hi,

Actually the list is quite long and detailed... depending on the features that you have...

But just to give you an example...

When a packet comes to an interface normally this happens:

ACL checking

Routing

NAT

Encryption

Obviously, if you have other features like AAA, application inspection, etc... then they also come into play.

When the packet arrives to its destination, the packet is first decrypted, and then all the rule applies.

The above is very general and is just to give you an idea.

Federico.

Re: ASA/PIX Order of Operations

The Packet-Tracer option will provide all this informacion

https://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807c35e7.shtml#s3

Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
              
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.22.1.0      255.255.255.0   outside

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit tcp 192.168.1.0 255.255.255.0 any eq www 
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
              
Phase: 7
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
  match ip inside 192.168.1.0 255.255.255.0 outside any
    dynamic translation to pool 1 (172.22.1.254)
    translate_hits = 6, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.1.50/1025 to 172.22.1.254/1028 
using netmask 255.255.255.255

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:       
nat (inside) 1 192.168.1.0 255.255.255.0
  match ip inside 192.168.1.0 255.255.255.0 outside any
    dynamic translation to pool 1 (172.22.1.254)
    translate_hits = 6, untranslate_hits = 0
Additional Information:

Phase: 10
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype: 
Result: ALLOW 
Config:
Additional Information:

Phase: 13
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 94, packet dispatched to next module

Phase: 15
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 172.22.1.1 using egress ifc outside
adjacency Active
next-hop mac address 0030.a377.f854 hits 11

!--- The MAC address is at Layer 2 of the OSI model.
!--- This tells the administrator the next host 
!--- that should receive the data packet.


Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Community Member

Re: ASA/PIX Order of Operations

I'm pretty sure that "FLOW" comes before "ACL"

Super Bronze

ASA/PIX Order of Operations

Hi,

I dont think the above packet-tracer commands ACL refers to the typical ACL. It comes later on the packet-tracer output.

Additional Information:
MAC Access list

- Jouni

4921
Views
5
Helpful
5
Replies
CreatePlease to create content