Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA order of rule

Hello,

I have a question: In witch order the cisco ASA 5520 check the rules?

1. route

2. NAT

3. ACL

Regards,

Marie

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: ASA order of rule

8 REPLIES
New Member

Re: ASA order of rule

New Member

Re: ASA order of rule

Thank You

New Member

Re: ASA order of rule

Hi

This is the doc i was looking for and just found!

It's been very useful int he past!

http://www.cisco.com/warp/public/556/5.html

Check it out! ;-)

Gold

Re: ASA order of rule

good document - i'll probably print that one out.

I'm glad it addresses whether or not the traffic in question is incoming or outgoing.

New Member

Re: ASA order of rule

The answers in this post are misleading. The document, "

http://www.cisco.com/warp/public/556/5.html" referenced by grahambartlett specifically states, "The information in this document is based on the Software Version, Cisco IOS? Software Release 12.2(27)" which does not run on the ASA 5520. A more accurate order of operations can be obtained using packet tracer in ASA/PIX version 7.21 or above. Here is a condensed output I created using the packet-tracer command.

PIX/ASA - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)

---------------------------------------------------------------

Eg. Type - [Sub-Type] - Description

1. FLOW-LOOKUP - [] - Check for existing connections, if none found create a new connection.

2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)

3. ACCESS-LIST - [log] - ACL Lookup

4. CONN-SETTINGS - [] - class-map, policy-map, service-policy

5. IP-OPTIONS - [] -

6. NAT - [] - xlate

7. NAT - [host-limits] -

8. IP-OPTIONS - [] -

9. FLOW-CREATION - [] - If everything passes up until this point a connection is created.

10. ROUTE-LOOKUP - [output and adjacency] -

PIX/ASA - Outside (Lower SEC_Level) to Inside (Higher Sec_Lev)

-----------------------------------------------------------

1. FLOW-LOOKUP - [] - Check for existing connections, if none found create a new connection.

2. UN-NAT - [static] -

2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)

3. ACCESS-LIST - [log] - ACL Lookup

4. CONN-SETTINGS - [] - class-map, policy-map, service-policy

5. IP-OPTIONS - [] -

6. NAT - [rpf-check] -

7. NAT - [host-limits] -

8. IP-OPTIONS - [] -

9. FLOW-CREATION - [] - If everything passes up until this point a connection is created.

10. ROUTE-LOOKUP - [output and adjacency] -

New Member

Re: ASA order of rule

Below is the behavior of when a packet passes through an appliance configured for address translation.

1. The packet arrives at the ingress interface from the end host.

2. The security appliance checks the packet against the inbound ACL.

3. If the packet is allowed in, the security appliance consults the routing table to determine the outbound physical interface.

4. If address translation is enabled and the packet matches the translation criteria, the security appliance creates a translation for the host.

5. The security appliance creates a stateful connection entry for the TCP and UDP packets. The security appliance can, optionally, create a stateful connection entry for the ICMP traffic if ICMP inspection is turned on.

6. The packet is routed to the egress interface and is checked against the outbound ACL.

If allowed, the packet is transmitted.

To help you remember, use the acronym ART!

A for ACL

R for Route

T for Translation

And for your viewing pleasure, here is the the NAT Order of Operation. It is imperative that you know this! :o)

NAT exemption - When multiple NAT types/rules are set up, the security appliance tries to match traffic against the ACL in the NAT exemption rules. If there are overlapping entries in the ACL, the security appliance analyzes the ACEs until a match is found.

Static NAT - If there is no match found in the NAT exemption rules, the security appliance analyzes the static NAT entries in sequential order to determine a match.

Static PAT - If the security appliance does not find a match in NAT exemption or static NAT entries, it goes through the static PAT entries until it locates a match.

Policy NAT/PAT - The security appliance evaluates the policy NAT entries if it is still not able to find a match on the packet flow.

Identity NAT - The security appliance tries to find a match using the identity NAT statement, if one is set up to do so.

Dynamic NAT - If the security appliance fails to find a match using the first five rules, it checks to see if the packets need to be translated using dynamic NAT.

Dynamic PAT - The packets are checked against the dynamic PAT rules as the last resort, if all the previously mentioned rules fail.

Cheers

Please rate if satisfied. :o)

New Member

Re: ASA order of rule

Interesting Post, taken straight from the Cisco Press book, "Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance". It is an excellent book however their are irregularities in your interpretation.

Routing, determining the egress interface and adjacency (Next Hop MAC address) is ALWAYS done last. When going from Lower security level (Outside) to Higher security level (Inside) the routes are added based on the translated (Local) address not the untranslated (Global) address. This is step 6 in your post.

A good document that outlines this in a clear manner is the, "Cisco Security Appliance Command Line Configuration Guide, Version 7.0" and can be viewed here...

http://www.cisco.com/en/US/partner/docs/security/asa/asa70/configuration/guide/fwmode.html#wp1202275

The article is titled, "How Data Moves Through the Security Appliance in Routed Firewall Mode"

As for the acronym you posted it should be changed to:

A for ACL

T for Translation

R for Route

As for the NAT order of operations, it should be clarified a bit as posted in the same document as above (different section), which can be found here...

http://www.cisco.com/en/US/partner/docs/security/asa/asa70/configuration/guide/cfgnat.html#wp1042696

The section is titled, "Order of NAT Commands Used to Match Real Addresses" and here it is.

The security appliance matches real addresses to NAT commands in the following order:

1. NAT exemption (nat 0 access-list)?In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.

2. Static NAT and Static PAT (regular and policy) (static)?In order, until the first match. Static identity NAT is included in this category.

3. Policy dynamic NAT (nat access-list)?In order, until the first match. Overlapping addresses are allowed.

4. Regular dynamic NAT (nat)?Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the security appliance.

If you configure multiple global statements on the same NAT ID, the global statements are used in this order:

1. No global if using nat 0 (identity NAT).

2. Dynamic NAT global.

3. PAT global.

The main difference between the book's interpretation and Cisco's interpretation being the order in which each step is matched. Steps 1, 2 and 3 are in order as they appear in the configuration and step 4 is a best match.

Cheers ;>

New Member

Re: ASA order of rule

I suppose I should of stated my post is in regards to a packet going from a lower to higher security level.

Excuse me for being so wrong!

1022
Views
31
Helpful
8
Replies
CreatePlease to create content