Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Order of operations

Can anyone point to a list of traffic flow order or order of operations doco for the ASA 7.2.x

I only seem to be able to find one that relates to IOS CBAC.

I'm trying to answer a client's question (reference needed): Will Inbound encrypted communications be unencrypted and inspected before entering the internal network?

Having the rest of the flow would be useful for reference.

Many thanks,

Mike

2 ACCEPTED SOLUTIONS

Accepted Solutions
Community Member

Re: Order of operations

I know I've seen the OoP of the ASA some days a go.

Please have a look at Joe Harris 6200networks.com post about OoP:

http://6200networks.com/2008/09/05/asa-order-of-operation/

cheers Michael

Hall of Fame Super Blue

Re: Order of operations

Mike

In addition to the link posted in the other thread -

"Will Inbound encrypted communications be unencrypted and inspected before entering the internal network?"

It depends on the setting of the "sysopt connection permit-vpn" If it is enabled then after the traffic is unencrypted it bypasses interface acl's. If it is disabled then unencrypted traffic is then checked against the interface acl, see this link for full details -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1198155

Jon

4 REPLIES
Community Member

Re: Order of operations

I know I've seen the OoP of the ASA some days a go.

Please have a look at Joe Harris 6200networks.com post about OoP:

http://6200networks.com/2008/09/05/asa-order-of-operation/

cheers Michael

Community Member

Re: Order of operations

Thanks Michael,

That will prove very useful for the document. I tried a packet trace to answer my question before I originally posted but I don't have a lab device so could not easily get a flow that included all crypto, NAT, ACLs, and so on on the prod device.

Thanks again

Mike

p.s. I'll come back to rate you

Hall of Fame Super Blue

Re: Order of operations

Mike

In addition to the link posted in the other thread -

"Will Inbound encrypted communications be unencrypted and inspected before entering the internal network?"

It depends on the setting of the "sysopt connection permit-vpn" If it is enabled then after the traffic is unencrypted it bypasses interface acl's. If it is disabled then unencrypted traffic is then checked against the interface acl, see this link for full details -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1198155

Jon

Community Member

Re: Order of operations

Thanks Jon,

It's on my FW as it's the default. Good reminder though as I'd forgotten about that cmd. It's one of those that's not in the runnning-config and needs a show run sysopt - but you knew that or you wouldn't have been able to help me

Although my clients question could be ambiguous I'm going to take him literally: does it inspect as in application inspection after decrypt?

Unfortunately even the other post from Michael doesn't spell this out, not to me anyway.

Thanks again

Mike

181
Views
0
Helpful
4
Replies
CreatePlease to create content