Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Just to get this straight...


Lets say your nonating every interface on a PIX(nat (Office) 0 0 0, nat (Admin) 0 0 0 etc...) You have a 515 with 6 interfaces, and on every interface you have an access list controlling where traffic is able travel. At this point with everything being nonated, and an access list with a deny ip any any at the end on every interface, your not really using the ASA anymore right?



Re: Just to get this straight...

Nope, not correct, ASA is always in place.

If a packet arrives on a interface and it has a connected state then ASA handles down the traffic and no inspection based on access-list takes place.

Let´s take a little example to demonstrate. Let´s say we have a registered public address space we are using on the inside, and just want our users on the inside to have full access to the Internet, while we do not want any traffic to come in that is not initiated from the inside.

The following config would be enough then:

nat (inside) 0

no access-list

access-list outside-in deny ip any any

access-group outside-in in interface outside

(in fact even the last two commands would not be needed in this case, but only goes to show)

What happens when a users starts a session from the inside the PIX creates a connected and let the packet leave the outside (because it is from high to low level security)

The host will send an answer, and when this returning packet arrives on te outside interface the PIX sees that this is an existing stream (it has a connected state) and let the packet in, it does not look at the access-list at all.

It the same host on the Internet tries to build a new session to the same inside user something different happens. The PIX then sees the packet arrive while there is no connected state. If this is the case the PIX will look if there is an ACL bound to the interface. In this case there is, and this list says that the traffic is not permitted, so the packet is dropped.

If there was no ACL in place the PIX will see that there is no connected state and no ACL and then it depends on the securitylevel if the packet is accepted or not.

So, ASA is always in place. A few weeks ago there was another discussion on this topic, if you search on the forum with keywords "ASA order of operation" I am sure you find it (there are some usefull links in this discusions)

Kind Regards,



Re: Just to get this straight...

Thanks Leo,

I know this was a basic question, good answer.

CreatePlease to create content