PIX operation

rajeshiyer · ‎04-13-2009

I read the info ( see attachment )in Cisco book "Cisco ASA , PIX,FSWM Firewall handbook , 2nd Edition by David Hucaby"

that for outbound operation , xlate happens before ACL (2nd line in attachemnt ). Moreover ACL uses translated IP rather than its local ones.

I think it has to be :

Packet from Inside to Outside :

ACL --> Routing --> NAT

Packet from Outside to Inside :

ACL --> NAT --> Routing

Correct me if I'm wrong.

r.malviya · ‎04-13-2009

Hi Rajesh ,

As per my understanding in case on ACL or Nat comes in ASA is , if the traffic initiate from inside network & want's to communicate to outside server(Internet) which 1st thing need is to be permit by ACL . If ACL Permit's the traffic then only it will forward the traffic otherwise will drop . After completing its looking for Global IP which he will get from the NAT , then it will route the packet .

In Case of Connection from outside to inside ,give you an example .

If your web server which is located inside segment & source is a Host which reside behind the Outside segment(Internet) wants to access the server , then in this case the Host(Internet) attempt to connect to webserver(Inside) on public ip which he get it through Static NAT . Then ASA Check the ACL if permit then forward the Packet & After coming to Nat interface it will unwrap the packet & transfer the packet to its original Local Ip address .

I hope it will useable for you .

Please rate it ......

Regards

Ritesh Malviya