Professional Documents
Culture Documents
Cisco ASA Packet Flow (Part 1) - Intense School
Cisco ASA Packet Flow (Part 1) - Intense School
CISCO
CAREERS 2016 2015
PREP EXERCISES
AND LABS
PROJECT
MANAGEMENT
MICROSOFT
IT TRAINING
CLOUD
COMPUTING
POSTED
BUSINESS IN CISCO ON FEBRUARY 10, 2015
SKILLS
SHARE
VIRTUALIZATION
LEADERSHIP
CCNA
VIDEOS
BootCamp
4 CERTS INCLUDED!
INTERVIEWS
CLICK HERE!
What's this?
http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 1/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School
CISCO
CAREERS 2016 VPN between
In one of the articles I wrote about 2015 overlapping subnets, I promised to
write on the flow of packets through a Cisco ASA especially as it relates to NAT and
CISCO EXAM 2014 2013
route-lookup. In this article, I will focus on general packet flow through the ASA. In
PREP EXERCISES
the next article, I will drill down into the specifics of NAT and route-lookup.
AND LABS
CCNA TRAINING – RESOURCES (INTENSE)
PROJECT
Want to learn
MANAGEMENT more? The Intense School CCNA Quad Certification Boot Camp is a
7-day accelerated, in-depth course that can help IT professionals build a foundation in
and apprentice knowledge of networking. You'll leave with the CCNA
MICROSOFT
R&S/CCENT/CCDA/CCNA: Security certifications.
IT TRAINING
VIDEOS
CCNA/CCENT/CCDA/CCNA-Security - 7 Day Boot Camp
INTERVIEWS
Comprehensive Course Package Includes:
CCS100 CCNA/CCENT/CCDA/CCNA: Security Boot Camp Tuition
CCS101 3 Pre-study text books for CCNA, CCDA, CCNA: Security
CCS102 Cisco CCNA, CCNA: Security Official Curriculum
CCS103 P it I t S h l CCNA/CCDA/CCNA S it T t P
In this article, I will first present the ASA packet processing algorithm as specified by
Cisco and then we will use the packet-tracer command to verify the output in a lab
scenario. The diagram used in that article is not really clear but there is a clearer
form on this site as shown below:
http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 2/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School
CISCO
CAREERS 2016 2015
PREP EXERCISES
AND LABS
Let me explain this diagram: When a packet is received on the ingress interface, the
PROJECT
ASA checks if it matches an entry in the connection table i.e. existing connection. If
it does, protocol inspection is carried out on the packet. If it does not match an
MANAGEMENT
existing connection and the packet is either a TCP-SYN packet or UDP packet, the
MICROSOFT
packet is subjected to ACL checks.
IT TRAINING
Note: The reason it needs to be a TCP-SYN packet is because a SYN packet is the first
CLOUD
packet in the TCP 3-way handshake. Any other TCP packet (that isn’t part of an
existing connection) is likely an attack.
COMPUTING
If the packet is allowed by ACLs and is also verified by translation rules, the packet
UNCATEGORIZED
goes through protocol inspection. Then, the IP header is translated (if NAT is used)
BUSINESS SKILLS
and the packet goes through IPS check (if there is an IPS module on the ASA). If the
NAT rule specifies an egress interface, the ASA will virtually forward the packet to this
VIRTUALIZATION
egress interface and then perform a route lookup. If a route is found that specifies
LEADERSHIP
the egress interface, then the Layer-2 header of the packet is re-written and the
packet is forwarded out the egress interface.
VIDEOS
Note: If a route is found that doesn’t specify the determined egress interface, it
INTERVIEWS
means there is a conflict between routing and NAT and the packet is dropped.
If the NAT rule does not specify an egress interface, the ASA will determine the
egress interface by performing a route lookup. If a route is found, the Layer-2 header
of the packet is re-written and the packet is forwarded out the egress interface.
In summary, there are three major areas to think about when discussing packet flow
through an ASA: ACLs, NAT and route lookup. Let’s use a lab with different scenarios
to see this packet flow in action.
http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 3/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School
CISCO
CAREERS 2016 2015
I’m using GNS3 for this and I have routers connected to all the interfaces of the ASA.
PREP EXERCISES
We would be using the packet-tracer command for some scenarios but we will
AND LABS
generate real traffic for others.
PROJECT
The configuration I have on the ASA is as follows:
MANAGEMENT
interface GigabitEthernet0
MICROSOFT
nameif outside
security-level 0
IT TRAINING
ip address 41.1.1.1 255.255.255.252
CLOUD
!
interface GigabitEthernet1
COMPUTING
nameif inside
UNCATEGORIZED
security-level 100
ip address
BUSINESS SKILLS192.168.1.1 255.255.255.0
!
VIRTUALIZATION
interface GigabitEthernet2
nameif dmz
LEADERSHIP
security-level 50
VIDEOS
ip address 172.16.1.1 255.255.255.0
!
INTERVIEWS
object network INSIDE
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
!
object network DMZ
subnet 172.16.1.0 255.255.255.0
nat (dmz,outside) dynamic interface
!
access-list DMZ extended permit tcp host 172.16.1.20 host 192.168.1.20 eq ssh
access-list DMZ extended deny ip any 192.168.1.0 255.255.255.0
http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 4/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School
INTENSE access-list
SCHOOL DMZ extended
INFOSEC INSTITUTE permit ip 172.16.1.0
CERTIFICATION 255.255.255.0
TRACKER any
!
access-group DMZ in interface dmz
When both the ‘inside’ and ‘dmz’ hosts want to access the ‘outside’ network, they are
TOPICS CONTRIBUTORS CONTENT ARCHIVES CONTENT ARCHIVES JOB BOARD
dynamically translated (PAT) to the ‘outside’ interface address of the ASA. The ‘inside’
CISCO
CAREERS
to ‘dmz’ communication (and 2016
vice versa)2015
does not have any NAT translation rules.
There is an ACL applied on the2014
CISCO EXAM
DMZ interface
2013
that allows SSH from 172.16.1.20 to
192.168.1.20, denies every other connection from the DMZ to the inside and then
PREP EXERCISES
allows the DMZ to connect to any other address e.g. the outside.
AND LABS
Scenario 1: Inside to DMZ
PROJECT
There really isn’t much to see here since there is no NAT or ACL. The ASA has a route
to the destination and since this isn’t an existing connection, then a connection
MANAGEMENT
IT TRAINING
CLOUD
COMPUTING
UNCATEGORIZED
BUSINESS SKILLS
VIRTUALIZATION
LEADERSHIP
VIDEOS
INTERVIEWS
This scenario is similar to the first one except that there is an ACL to be checked. The
only (non-existing) connection that will be allowed from the DMZ to the inside is
SSH from host 172.16.1.20 to 192.168.1.20.
http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 5/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School
CISCO
CAREERS 2016 2015
PREP EXERCISES
AND LABS
PROJECT
MANAGEMENT
MICROSOFT
IT TRAINING
CLOUD
It will be interesting to see how existing connections bypass the ACL check so let’s
UNCATEGORIZED
look at a scenario like that. To achieve this, I will first initiate a connection from the
BUSINESS SKILLS
inside to the DMZ e.g. telnet.
VIRTUALIZATION
LEADERSHIP
VIDEOS
INTERVIEWS
If I check the ASA’s connection table, I will see this telnet session there.
With this information, I can check what will happen if the DMZ host 172.16.1.2 sends a
packet to the inside host 192.168.1.2 with source port 23 and destination port 19061.
http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 6/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School
CISCO
CAREERS 2016 2015
PREP EXERCISES
AND LABS
This communication is allowed because there is already an existing connection so
the ACL check is bypassed. This is the reason you don’t have to explicitly permit the
PROJECT
return traffic of “inside-to-outside” connections even though you have an ACL on your
MANAGEMENT
outside interface.
MICROSOFT
Scenario 4: DMZ to Outside
IT TRAINING
I just want to do one scenario with NAT in this article although we will devote the
next article to NAT and route lookup. In our configuration, we are doing source NAT
CLOUD
(PAT) for DMZ to outside traffic i.e. the source of the traffic is translated but the
COMPUTING
destination is not.
UNCATEGORIZED
BUSINESS SKILLS
VIRTUALIZATION
LEADERSHIP
VIDEOS
INTERVIEWS
http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 7/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School
CISCO
CAREERS 2016 2015
PREP EXERCISES
AND LABS
PROJECT
MANAGEMENT
MICROSOFT
IT TRAINING
CLOUD
COMPUTING
UNCATEGORIZED
BUSINESS SKILLS
VIRTUALIZATION
LEADERSHIP
Before I end this article, I would like to point out something with regards to NAT and
ACLs on post-8.3 ASA software version. No matter the interface you are dealing it,
VIDEOS
always use the real IP address of traffic in your ACL. In the pre-8.3 era, the IP address
INTERVIEWS
you use in your ACL depended on what address was seen on the interface (real or
mapped). You can refer to this article for more information about this.
Conclusion
In this article, we have discussed the packet processing algorithm on the Cisco ASA
and also used a lab to verify its workings based on various scenarios. The packet-
tracer output does not always correspond to what really happens especially as it
relates to NAT and route lookup and we will see more of this in the next article.
http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 8/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School
INTENSE References
SCHOOL and further
INFOSEC reading
INSTITUTE CERTIFICATION TRACKER
PROJECT
MANAGEMENT
Adeolu Owokade is a technology lover who has always
MICROSOFT AUTHOR been intrigued by Security. He has multiple years of
IT TRAINING
Adeolu experience in the design, implementation and support
COMPUTING
UNCATEGORIZED
FREE PRACTICE EXAMS
BUSINESS SKILLS
http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 9/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School
CISCO
CAREERS 2016 2015
Video: CUCM Part 11 – Adding
Users Through BAT
CISCO EXAM 2014 2013
MANAGEMENT
RELATED BOOT CAMPS
MICROSOFT
VIDEOS
http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 10/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School
Welcome CONTENT
to theARCHIVES
TOPICS CONTRIBUTORS Video: CUCM
CONTENT Part
ARCHIVES JOB BOARD
CCNA/ICND v3.0
CISCO
CAREERS 2016 2015 11 – Adding…
(New…
CISCO EXAM 2014 2013
PREP EXERCISES
AND LABS
PROJECT
MANAGEMENT
Level 2: Beginner’s Level 1: Beginner’s
MICROSOFT
Guide to Creating… Guide to Creating…
IT TRAINING
CLOUD
COMPUTING
UNCATEGORIZED
BUSINESS SKILLS
VIRTUALIZATION
LEADERSHIP
VIDEOS
INTERVIEWS
http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 11/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School
Sort by Best
Recommend ⤤ Share
TOPICS CONTRIBUTORS CONTENT ARCHIVES CONTENT ARCHIVES JOB BOARD
Start the discussion…
CISCO
CAREERS 2016 2015
LOG IN WITH
OR SIGN UP WITH DISQUS ?
CISCO EXAM 2014 2013
Intense School Name
PREP EXERCISES
Email
AND LABS
Password
PROJECT
By signing up, you agree to the Disqus Basic Rules, Terms of Service, and
MANAGEMENT
Privacy Policy.
MICROSOFT
→
IT TRAINING
CLOUD
UNCATEGORIZED
VIRTUALIZATION
LEADERSHIP
VIDEOS
About Intense
INTERVIEWS
Connect with us Join our newsletter
Intense School has been Stay up to date with Get the latest news, updates &
providing accelerated IT training InfoSec Institute and offers straight to your inbox!
and certification for over 12 years Intense School by
to more than 45,000 IT and connecting with us on ENTER YOUR SUBSCRIBE
Information Security Social Media!
professionals worldwide. Come
Like 107
see why we have the highest
Follow @intenseschool
pass rates in the industry!
http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 12/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School
CISCO
CAREERS 2016 2015
PREP EXERCISES
AND LABS
PROJECT
MANAGEMENT
MICROSOFT
IT TRAINING
CLOUD
COMPUTING
UNCATEGORIZED
BUSINESS SKILLS
VIRTUALIZATION
LEADERSHIP
VIDEOS
INTERVIEWS
http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 13/13