Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Order of operation for PIX/ASA

Hi all,

I have noticed that there is a big amount of questions and troubleshooting issues when it's about combining several PIX features like address translation, encryption ...

So can someone give us the order of operation in the PIX for inbound and outbound traffic.

I found this information for IOS but not for the PIX.

I 'am sure this will help troubleshooting many issues.

Operations are:

- ACL inspection.

- address translation (inside/outside)

- IPSec encryption/decryption.

- Intrusion detection.

- Application inspection.

- ...

Think you in advance


Re: Order of operation for PIX/ASA

Coming in from the internet, packets are decrypted (if coming over a VPN), then hit the inbound ACL, then are NATed, then routed to outgoing i/f.

Going out to the internet, the packet will be routed to the outgoing i/f, then NATed, then hit the VPN config.

New Member

Re: Order of operation for PIX/ASA


Think you for your response.

Concerning inbound traffic the PIX command (sysopt connection permit-ipsec) allow the PIX to bypass the checking of IPSec traffic by ACL, this mean that inbound ACL occurs before Decryption, does it?

Re: Order of operation for PIX/ASA

no, traffic is decrypted, then checked against ACL (if syspopt command disabled).

So if you have "no sysopt connection permit-ipsec" then your outside ACL must refer to the unencrypted traffic.