Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Software Order of Operations

I'm trying to find a chart or something that identifies the order of operations ASA goes through when traffic passes through the appliance. I've found various info already but nothing the explains to me the specific point the decision is made to not let traffic pass from higher-trusted interface to lower-trusted interface. When does it evaluate access-lists relative to security-levels? When does it make a routing decision relative to security-levels.

Thanks for any info

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA Software Order of Operations

Here's an example:

fwasa01# packet-tracer input outside tcp 5.5.5.5 1024 172.16.64.101 22

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.16.64.0 255.255.240.0 inside <<<< routing wants to route the packet from outside to inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule <<<<<< outside interface has an inbound ACL which doesn't mention "172.16.64.0" network, so the implicit-deny will drop it

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So to answer your question, when packet flows from low-trust to high-trust it goes like this:

1. route

2. check ACL <<< if no match, drop. ACL is required if going from low-trust to high-trust. If no ACL is configured, and this is inbound session, the packet is dropped. ACL is not required if going from high-trust to low-trust

3a. if nat-control is off (default): try to find matching nat/static or existing flow (there are a few things here depending on where the session initiated from), if no nat found config found, route the packet without nat

3b. if nat-control is on: there must be nat/static or existing flow

there are other components, but those are the important ones

Regards,

Roman

4 REPLIES

Re: ASA Software Order of Operations

Did you try using CLI "packet-tracer input ...." to simulate a packet travelling through ASA. It will show you exactly what happens. Sorry if you knew about it already!

Regards,

Roman

New Member

Re: ASA Software Order of Operations

No I was not aware of that command thank you.!

Do you know at which phase is the decision to not let traffic pass from low-trust to high-trust interface?

Re: ASA Software Order of Operations

Here's an example:

fwasa01# packet-tracer input outside tcp 5.5.5.5 1024 172.16.64.101 22

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.16.64.0 255.255.240.0 inside <<<< routing wants to route the packet from outside to inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule <<<<<< outside interface has an inbound ACL which doesn't mention "172.16.64.0" network, so the implicit-deny will drop it

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So to answer your question, when packet flows from low-trust to high-trust it goes like this:

1. route

2. check ACL <<< if no match, drop. ACL is required if going from low-trust to high-trust. If no ACL is configured, and this is inbound session, the packet is dropped. ACL is not required if going from high-trust to low-trust

3a. if nat-control is off (default): try to find matching nat/static or existing flow (there are a few things here depending on where the session initiated from), if no nat found config found, route the packet without nat

3b. if nat-control is on: there must be nat/static or existing flow

there are other components, but those are the important ones

Regards,

Roman

New Member

Re: ASA Software Order of Operations

Thanks Roman.

This answeres my question perfectly.

403
Views
5
Helpful
4
Replies