Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Packet processing in ASA

Hello Guys,

I am studying packet processing in ASA and i have understood the following: -

Packet processing for 8.0

1. Packet will be received on ingress interface kept in internal buffer, input counter will be incremented.

2. Connection table is checked to check if packet belongs to exiting connection if yes ACL check is skipped and packet is moved to further processing. If packet is not a part of existing connection then if packet is TCP SYN or UDP packet then connection counter is increased and  packet is moved for further processing. Else packet is dropped.

3. Packet is subjected to ACL check if ACL allow the packet then ACL hit count is incremented and packet is moved for further processing. Else packet is dropped and logged.

4. NAT rules are checked and IP header information is changed like Source IP and destination IP are changed and chcek is recalculated and new checksum is inserted in the IP header.

5. Routing table is checked. Layer 2 resolution is performed.

6.Packet is transmitted on wire.

Packet processing for 8.4
Just swap 3 and 4

I want to ask

1. Is above explanation is corrected and complete ?

2. Is this is explanation is same for the packet going from High to Low security level, Low to High security level.

3. Suppose egress interface also have some ACL applied in "out direction" then when that ACL will be checked.

I was reffering the below document. Or Can anyone provide some better detailed explanation i am preparing for interview.

VIP Purple

I would simulate different

I would simulate different types of communication with the packet-tracer. There you see which actions are done and in which order.

Some points on your list are not absolutely accurate:

2) "then if packet is TCP SYN or UDP packet" should better be "then if packet is TCP SYN or UDP or any not statefully inspected protocol". You also could have things like GRE that gets processed with the next step.

3) The ACL is only used if available. Also think about the default handling with security-levels when there are no ACLs.

4) If there already is a translation, the NAT rules are not checked. Instead the existing translation is used.

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
New Member

 on ASA (5525X) with code 9.1


ASA Order of Operation IMG

on ASA (5525X) with code 9.1.4 above does not apply .route lookup is being done bore NAT. so it would be step 7 and NAT will go step 8