Lets say your nonating every interface on a PIX(nat (Office) 0 0.0.0.0 0.0.0.0 0 0, nat (Admin) 0 0.0.0.0 0.0.0.0 0 0 etc...) You have a 515 with 6 interfaces, and on every interface you have an access list controlling where traffic is able travel. At this point with everything being nonated, and an access list with a deny ip any any at the end on every interface, your not really using the ASA anymore right?
If a packet arrives on a interface and it has a connected state then ASA handles down the traffic and no inspection based on access-list takes place.
Let´s take a little example to demonstrate. Let´s say we have a registered public address space we are using on the inside, and just want our users on the inside to have full access to the Internet, while we do not want any traffic to come in that is not initiated from the inside.
The following config would be enough then:
nat (inside) 0 0.0.0.0 0.0.0.0
access-list outside-in deny ip any any
access-group outside-in in interface outside
(in fact even the last two commands would not be needed in this case, but only goes to show)
What happens when a users starts a session from the inside the PIX creates a connected and let the packet leave the outside (because it is from high to low level security)
The host will send an answer, and when this returning packet arrives on te outside interface the PIX sees that this is an existing stream (it has a connected state) and let the packet in, it does not look at the access-list at all.
It the same host on the Internet tries to build a new session to the same inside user something different happens. The PIX then sees the packet arrive while there is no connected state. If this is the case the PIX will look if there is an ACL bound to the interface. In this case there is, and this list says that the traffic is not permitted, so the packet is dropped.
If there was no ACL in place the PIX will see that there is no connected state and no ACL and then it depends on the securitylevel if the packet is accepted or not.
So, ASA is always in place. A few weeks ago there was another discussion on this topic, if you search on the forum with keywords "ASA order of operation" I am sure you find it (there are some usefull links in this discusions)
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...