I am studying packet processing in ASA and i have understood the following: -
Packet processing for 8.0
1. Packet will be received on ingress interface kept in internal buffer, input counter will be incremented.
2. Connection table is checked to check if packet belongs to exiting connection if yes ACL check is skipped and packet is moved to further processing. If packet is not a part of existing connection then if packet is TCP SYN or UDP packet then connection counter is increased and packet is moved for further processing. Else packet is dropped.
3. Packet is subjected to ACL check if ACL allow the packet then ACL hit count is incremented and packet is moved for further processing. Else packet is dropped and logged.
4. NAT rules are checked and IP header information is changed like Source IP and destination IP are changed and chcek is recalculated and new checksum is inserted in the IP header.
5. Routing table is checked. Layer 2 resolution is performed.
6.Packet is transmitted on wire.
Packet processing for 8.4 Just swap 3 and 4
I want to ask
1. Is above explanation is corrected and complete ?
2. Is this is explanation is same for the packet going from High to Low security level, Low to High security level.
3. Suppose egress interface also have some ACL applied in "out direction" then when that ACL will be checked.
I was reffering the below document. Or Can anyone provide some better detailed explanation i am preparing for interview.
I would simulate different types of communication with the packet-tracer. There you see which actions are done and in which order.
Some points on your list are not absolutely accurate:
2) "then if packet is TCP SYN or UDP packet" should better be "then if packet is TCP SYN or UDP or any not statefully inspected protocol". You also could have things like GRE that gets processed with the next step.
3) The ACL is only used if available. Also think about the default handling with security-levels when there are no ACLs.
4) If there already is a translation, the NAT rules are not checked. Instead the existing translation is used.
-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...