«

I get questions from clients asking what are the steps involved when a
packet enters a fw and leaves it.
So I did some research and came up with this sequence. Please suggest
corrections if you see a mistake. It is always good to have this kind
of summary handy.

Summary of Basic PIX\ASA Inspection Sequence and Operations:
Cisco IOS 6.3

The PIX\ASA inspection sequence is performed as follows:
1. As a packet enters an interface, the PIX evaluates the security
level for the source and destination interfaces. A low-to-high is
allowed only if there is an access-list that allows the connection and
a high-to-low is allowed by default unless a specific access-list
denies it. It there are ACL's present, the packet is checked against
these here.

2. Then the packet is checked against the stateful connection table.
If the packet is part of an already established connection, then it is
passed forward in order to be routed out and eventually translated if
specified. If the packet is identified as part of a new session, it
is passed to the ASA that performs the inbound network translation
(destination NAT).

3. ASA performs the inbound network translation (destination NAT) if
applicable.

4. The ASA updates the connections table with the packet's connection
state and the timers are started for that session.

5. The packet is checked against the Inspections database to
determine if the connection requires application-level inspection.
(checks to see if it needs a Fixup)

6. The packet gets routed to the interface designated by the routing
table.

7. At the exit interface, the source translation is performed, if
specified by using global statements and nat groups.

8. The packet is sent to the next hop router in the routing table or
to the final destination if it is present in the local firewall's
subnets.

Thanks
Tom