An Overview of Cisco ASA Order of Operation :-
In every network devices there is packet order of operations. means how particular devices is dealing with packets.In order to troubleshoot network devices problem you have to understand the How packet is flowing in the devices. In this article, i am going to show you How Cisco ASA is dealing with Packets.
1. Packet is received from the wire
2. Packet hits the ingress interface. Input counters are incremented.
3. Does this packet have an existing connection?
If yes. Move ahead to Inspection check.
If no. If packet is TCP-SYN or UDP packet, proceed to ACL check. Else drop packet.
4. Packet is processed by inbound access-list.
If it matches a statement in ACL hit count will increment with matching rule.
Else it will drop the packet.
5. NAT rules process packet. Notes regarding NAT rules:
In post 8.3 nat control is turned off on the ASA and cannot be turned on.
Pre 8.3 if nat control was on and a packet did not match an XLATE it was dropped.
A route lookup is conducted only to determine egress interface to match NAT rules
After translation takes place, the connection is created
6. Packet is processed by any inspect rules.
CSC Module: Packet is processed by CSC module if firewall has it
CX Module: Packet is processed by CX module if firewall has it
7. Packet gets the IP address translated in the header. The port is also translated if the translation is a PAT. New checksums are created for packet.
IPSM: If IPS module is installed the packet is then passed to the module.
8. Packet is virtually forwarded to egress interface. Egress interface is determined first by translation rules if known else L3 route lookup takes place.
9. L2 Address lookup. An ARP lookup is conducted at this stage.
10. Packet is transmitted and put on wire. Interface counters go up.
Hope you like my post.An Overview of Cisco ASA Order of Operation. Please share with others.
Related Post :-