3/8/2018 Cisco ASA packet flow (Part 1) - Intense School

INTENSE SCHOOL INFOSEC INSTITUTE CERTIFICATION TRACKER

TOPICS CONTRIBUTORS CONTENT ARCHIVES CONTENT ARCHIVES JOB BOARD

CISCO
CAREERS 2016 2015

CISCO EXAM 2014 2013

PREP EXERCISES

AND LABS

PROJECT

MANAGEMENT

MICROSOFT

IT TRAINING

CLOUD

COMPUTING

Cisco ASA packet flow (Part 1)

UNCATEGORIZED

POSTED
BUSINESS IN CISCO ON FEBRUARY 10, 2015
SKILLS

 SHARE
VIRTUALIZATION

LEADERSHIP
CCNA
VIDEOS
BootCamp
4 CERTS INCLUDED!
INTERVIEWS

93%+ Pass Rate, come see why with

our award winning CCNA training!

CLICK HERE!

What's this?

IP Routing Fundamentals (vendor neu…

Network Address Translation (NAT)

http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 1/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School

INTENSE SCHOOL INFOSEC INSTITUTE CERTIFICATION TRACKER

TOPICS CONTRIBUTORS CONTENT ARCHIVES CONTENT ARCHIVES JOB BOARD

CISCO
CAREERS 2016 VPN between
In one of the articles I wrote about 2015 overlapping subnets, I promised to
write on the flow of packets through a Cisco ASA especially as it relates to NAT and
CISCO EXAM 2014 2013
route-lookup. In this article, I will focus on general packet flow through the ASA. In
PREP EXERCISES
the next article, I will drill down into the specifics of NAT and route-lookup.

AND LABS
CCNA TRAINING – RESOURCES (INTENSE)
PROJECT

Want to learn
MANAGEMENT more? The Intense School CCNA Quad Certification Boot Camp is a
7-day accelerated, in-depth course that can help IT professionals build a foundation in
and apprentice knowledge of networking. You'll leave with the CCNA
MICROSOFT
R&S/CCENT/CCDA/CCNA: Security certifications.
IT TRAINING

CLOUD First Name

Last Name
COMPUTING
Company
Email
UNCATEGORIZED
Phone
Career Stage
BUSINESS SKILLS
Interested in Student Financing?
Who will fund your training?
VIRTUALIZATION
Training Budget
LEADERSHIP Find Pricing for this Course!

VIDEOS
CCNA/CCENT/CCDA/CCNA-Security - 7 Day Boot Camp
INTERVIEWS
Comprehensive Course Package Includes:
CCS100 CCNA/CCENT/CCDA/CCNA: Security Boot Camp Tuition
CCS101 3 Pre-study text books for CCNA, CCDA, CCNA: Security
CCS102 Cisco CCNA, CCNA: Security Official Curriculum
CCS103 P it I t S h l CCNA/CCDA/CCNA S it T t P
In this article, I will first present the ASA packet processing algorithm as specified by
Cisco and then we will use the packet-tracer command to verify the output in a lab
scenario. The diagram used in that article is not really clear but there is a clearer
form on this site as shown below:

http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 2/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School

INTENSE SCHOOL INFOSEC INSTITUTE CERTIFICATION TRACKER

TOPICS CONTRIBUTORS CONTENT ARCHIVES CONTENT ARCHIVES JOB BOARD

CISCO
CAREERS 2016 2015

CISCO EXAM 2014 2013

PREP EXERCISES

AND LABS
Let me explain this diagram: When a packet is received on the ingress interface, the
PROJECT
ASA checks if it matches an entry in the connection table i.e. existing connection. If
it does, protocol inspection is carried out on the packet. If it does not match an
MANAGEMENT
existing connection and the packet is either a TCP-SYN packet or UDP packet, the
MICROSOFT
packet is subjected to ACL checks.
IT TRAINING
Note: The reason it needs to be a TCP-SYN packet is because a SYN packet is the first
CLOUD
packet in the TCP 3-way handshake. Any other TCP packet (that isn’t part of an
existing connection) is likely an attack.
COMPUTING

If the packet is allowed by ACLs and is also verified by translation rules, the packet
UNCATEGORIZED
goes through protocol inspection. Then, the IP header is translated (if NAT is used)
BUSINESS SKILLS
and the packet goes through IPS check (if there is an IPS module on the ASA). If the
NAT rule specifies an egress interface, the ASA will virtually forward the packet to this
VIRTUALIZATION
egress interface and then perform a route lookup. If a route is found that specifies
LEADERSHIP
the egress interface, then the Layer-2 header of the packet is re-written and the
packet is forwarded out the egress interface.
VIDEOS

Note: If a route is found that doesn’t specify the determined egress interface, it
INTERVIEWS
means there is a conflict between routing and NAT and the packet is dropped.

If the NAT rule does not specify an egress interface, the ASA will determine the
egress interface by performing a route lookup. If a route is found, the Layer-2 header
of the packet is re-written and the packet is forwarded out the egress interface.

In summary, there are three major areas to think about when discussing packet flow
through an ASA: ACLs, NAT and route lookup. Let’s use a lab with different scenarios
to see this packet flow in action.

http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 3/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School

INTENSE SCHOOL INFOSEC INSTITUTE CERTIFICATION TRACKER

TOPICS CONTRIBUTORS CONTENT ARCHIVES CONTENT ARCHIVES JOB BOARD

CISCO
CAREERS 2016 2015

CISCO EXAM 2014 2013

I’m using GNS3 for this and I have routers connected to all the interfaces of the ASA.
PREP EXERCISES
We would be using the packet-tracer command for some scenarios but we will
AND LABS
generate real traffic for others.

PROJECT
The configuration I have on the ASA is as follows:

MANAGEMENT
interface GigabitEthernet0
MICROSOFT
nameif outside
security-level 0
IT TRAINING
ip address 41.1.1.1 255.255.255.252
CLOUD
!
interface GigabitEthernet1
COMPUTING
nameif inside
UNCATEGORIZED
security-level 100
ip address
BUSINESS SKILLS192.168.1.1 255.255.255.0
!
VIRTUALIZATION
interface GigabitEthernet2
nameif dmz
LEADERSHIP
security-level 50
VIDEOS
ip address 172.16.1.1 255.255.255.0
!
INTERVIEWS
object network INSIDE
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
!
object network DMZ
subnet 172.16.1.0 255.255.255.0
nat (dmz,outside) dynamic interface
!
access-list DMZ extended permit tcp host 172.16.1.20 host 192.168.1.20 eq ssh
access-list DMZ extended deny ip any 192.168.1.0 255.255.255.0

http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 4/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School

INTENSE access-list
SCHOOL DMZ extended
INFOSEC INSTITUTE permit ip 172.16.1.0
CERTIFICATION 255.255.255.0
TRACKER any
!
access-group DMZ in interface dmz

When both the ‘inside’ and ‘dmz’ hosts want to access the ‘outside’ network, they are
TOPICS CONTRIBUTORS CONTENT ARCHIVES CONTENT ARCHIVES JOB BOARD
dynamically translated (PAT) to the ‘outside’ interface address of the ASA. The ‘inside’
CISCO
CAREERS
to ‘dmz’ communication (and 2016
vice versa)2015
does not have any NAT translation rules.
There is an ACL applied on the2014
CISCO EXAM
DMZ interface
2013
that allows SSH from 172.16.1.20 to
192.168.1.20, denies every other connection from the DMZ to the inside and then
PREP EXERCISES
allows the DMZ to connect to any other address e.g. the outside.

AND LABS
Scenario 1: Inside to DMZ

PROJECT
There really isn’t much to see here since there is no NAT or ACL. The ASA has a route
to the destination and since this isn’t an existing connection, then a connection
MANAGEMENT

entry will be created on the ASA.

MICROSOFT

IT TRAINING

CLOUD

COMPUTING

UNCATEGORIZED

BUSINESS SKILLS

VIRTUALIZATION

LEADERSHIP

VIDEOS

INTERVIEWS

Scenario 2: DMZ to Inside

This scenario is similar to the first one except that there is an ACL to be checked. The
only (non-existing) connection that will be allowed from the DMZ to the inside is
SSH from host 172.16.1.20 to 192.168.1.20.

http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 5/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School

INTENSE SCHOOL INFOSEC INSTITUTE CERTIFICATION TRACKER

TOPICS CONTRIBUTORS CONTENT ARCHIVES CONTENT ARCHIVES JOB BOARD

CISCO
CAREERS 2016 2015

CISCO EXAM 2014 2013

PREP EXERCISES

AND LABS

PROJECT

MANAGEMENT

MICROSOFT

IT TRAINING

CLOUD

Scenario 3: DMZ to Inside (Existing connection)

COMPUTING

It will be interesting to see how existing connections bypass the ACL check so let’s
UNCATEGORIZED
look at a scenario like that. To achieve this, I will first initiate a connection from the
BUSINESS SKILLS
inside to the DMZ e.g. telnet.
VIRTUALIZATION

LEADERSHIP

VIDEOS

INTERVIEWS

If I check the ASA’s connection table, I will see this telnet session there.

With this information, I can check what will happen if the DMZ host 172.16.1.2 sends a
packet to the inside host 192.168.1.2 with source port 23 and destination port 19061.

http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 6/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School

INTENSE SCHOOL INFOSEC INSTITUTE CERTIFICATION TRACKER

TOPICS CONTRIBUTORS CONTENT ARCHIVES CONTENT ARCHIVES JOB BOARD

CISCO
CAREERS 2016 2015

CISCO EXAM 2014 2013

PREP EXERCISES

AND LABS
This communication is allowed because there is already an existing connection so
the ACL check is bypassed. This is the reason you don’t have to explicitly permit the
PROJECT
return traffic of “inside-to-outside” connections even though you have an ACL on your
MANAGEMENT
outside interface.

MICROSOFT
Scenario 4: DMZ to Outside
IT TRAINING
I just want to do one scenario with NAT in this article although we will devote the
next article to NAT and route lookup. In our configuration, we are doing source NAT
CLOUD

(PAT) for DMZ to outside traffic i.e. the source of the traffic is translated but the
COMPUTING
destination is not.
UNCATEGORIZED

BUSINESS SKILLS

VIRTUALIZATION

LEADERSHIP

VIDEOS

INTERVIEWS

http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 7/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School

INTENSE SCHOOL INFOSEC INSTITUTE CERTIFICATION TRACKER

TOPICS CONTRIBUTORS CONTENT ARCHIVES CONTENT ARCHIVES JOB BOARD

CISCO
CAREERS 2016 2015

CISCO EXAM 2014 2013

PREP EXERCISES

AND LABS

PROJECT

MANAGEMENT

MICROSOFT

IT TRAINING

CLOUD

COMPUTING

UNCATEGORIZED

BUSINESS SKILLS

VIRTUALIZATION

LEADERSHIP
Before I end this article, I would like to point out something with regards to NAT and
ACLs on post-8.3 ASA software version. No matter the interface you are dealing it,
VIDEOS
always use the real IP address of traffic in your ACL. In the pre-8.3 era, the IP address
INTERVIEWS
you use in your ACL depended on what address was seen on the interface (real or
mapped). You can refer to this article for more information about this.

Conclusion

In this article, we have discussed the packet processing algorithm on the Cisco ASA
and also used a lab to verify its workings based on various scenarios. The packet-
tracer output does not always correspond to what really happens especially as it
relates to NAT and route lookup and we will see more of this in the next article.

I hope you have found this article insightful.

http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 8/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School

INTENSE References
SCHOOL and further
INFOSEC reading
INSTITUTE CERTIFICATION TRACKER

Packet Flow through Cisco ASA Firewall:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-
generation-firewalls/113396-asa-packet-flow-00.html
TOPICS CONTRIBUTORS CONTENT ARCHIVES CONTENT ARCHIVES JOB BOARD
Cisco ASA Order of Operation: http://www.tunnelsup.com/cisco-asa-order-of-
CISCO operation
CAREERS 2016 2015

CISCO EXAM 2014 2013

Tweet Share Share 14
0
PREP EXERCISES Like
Reddit
AND LABS

PROJECT

MANAGEMENT
Adeolu Owokade is a technology lover who has always
MICROSOFT AUTHOR been intrigued by Security. He has multiple years of

IT TRAINING
Adeolu experience in the design, implementation and support

Owokade of network and security technologies. He's a CCIE

CLOUD (Security) with a new found love in writing.

COMPUTING

UNCATEGORIZED
FREE PRACTICE EXAMS
BUSINESS SKILLS

CCNA Practice Exams

VIRTUALIZATION

LEADERSHIP Security+ Practice Exam

VIDEOS CISSP Practice Exams

INTERVIEWS PMP Practice Exams

Network+ Practice Exam

http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 9/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School

INTENSE SCHOOL INFOSEC INSTITUTE CERTIFICATION TRACKER

EDITORS CHOICE

 Welcome to the CCNA/ICND

v3.0 (New Changes to the
TOPICS CONTRIBUTORS CONTENT ARCHIVES CONTENTCCNA)
ARCHIVES JOB BOARD

CISCO
CAREERS 2016 2015
 Video: CUCM Part 11 – Adding
Users Through BAT
CISCO EXAM 2014 2013

 Level 2: Beginner’s Guide to

PREP EXERCISES
Creating New Tables on SQL
AND LABS Server 2008: Viewing Table
Properties and Creating a View
PROJECT

MANAGEMENT
RELATED BOOT CAMPS
MICROSOFT

IT TRAINING CCNA Boot Camp

CLOUD Microsoft Training

COMPUTING PMP Boot Camp

UNCATEGORIZED ITIL Training

BUSINESS SKILLS Information Security Awareness

VIRTUALIZATION VMware Boot Camp

LEADERSHIP Red Hat Training

VIDEOS

INTERVIEWS MORE POSTS BY AUTHOR

pfSense Series: Firewall

Rules

pfSense Series: Configuring

VLANs

pfSense Series: Basic

Network Setup

http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 10/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School

INTENSE SCHOOL INFOSEC INSTITUTE CERTIFICATION TRACKER

Welcome CONTENT
to theARCHIVES
TOPICS CONTRIBUTORS Video: CUCM
CONTENT Part
ARCHIVES JOB BOARD
CCNA/ICND v3.0
CISCO
CAREERS 2016 2015 11 – Adding…
(New…
CISCO EXAM 2014 2013

PREP EXERCISES
 
AND LABS

PROJECT

MANAGEMENT
Level 2: Beginner’s Level 1: Beginner’s
MICROSOFT
Guide to Creating… Guide to Creating…
IT TRAINING

CLOUD
 
COMPUTING

UNCATEGORIZED

BUSINESS SKILLS

VIRTUALIZATION

LEADERSHIP

VIDEOS

INTERVIEWS

http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 11/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School

INTENSE SCHOOL INFOSEC INSTITUTE CERTIFICATION TRACKER

0 Comments Intense School Resources  Login

Sort by Best
 Recommend ⤤ Share
TOPICS CONTRIBUTORS CONTENT ARCHIVES CONTENT ARCHIVES JOB BOARD
Start the discussion…
CISCO
CAREERS 2016 2015
LOG IN WITH
OR SIGN UP WITH DISQUS ?
CISCO EXAM 2014 2013
Intense School Name
PREP EXERCISES
Email
AND LABS

Password
PROJECT

By signing up, you agree to the Disqus Basic Rules, Terms of Service, and
MANAGEMENT
Privacy Policy.

MICROSOFT
→
IT TRAINING

CLOUD

COMPUTING Be the first to comment.

UNCATEGORIZED

✉ Subscribe d Add Disqus to your siteAdd DisqusAdd

BUSINESS SKILLS
🔒 Privacy

VIRTUALIZATION

LEADERSHIP

VIDEOS

About Intense
INTERVIEWS
Connect with us Join our newsletter
Intense School has been Stay up to date with Get the latest news, updates &
providing accelerated IT training InfoSec Institute and offers straight to your inbox!
and certification for over 12 years Intense School by
to more than 45,000 IT and connecting with us on ENTER YOUR SUBSCRIBE
Information Security Social Media!
professionals worldwide. Come
Like 107
see why we have the highest
Follow @intenseschool
pass rates in the industry!

http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 12/13
3/8/2018 Cisco ASA packet flow (Part 1) - Intense School

© INTENSE SCHOOL 2018

INTENSE SCHOOL INFOSEC INSTITUTE CERTIFICATION TRACKER

TOPICS CONTRIBUTORS CONTENT ARCHIVES CONTENT ARCHIVES JOB BOARD

CISCO
CAREERS 2016 2015

CISCO EXAM 2014 2013

PREP EXERCISES

AND LABS

PROJECT

MANAGEMENT

MICROSOFT

IT TRAINING

CLOUD

COMPUTING

UNCATEGORIZED

BUSINESS SKILLS

VIRTUALIZATION

LEADERSHIP

VIDEOS

INTERVIEWS

http://resources.intenseschool.com/cisco-asa-packet-flow-part-1/ 13/13