Summary of what happens to a packet as it enters and then leaves thePIX\ASA firewall - please correc

Discussion in 'Cisco' started by t.eliason@eds.com, Nov 27, 2007.

  1. Guest

    I get questions from clients asking what are the steps involved when a
    packet enters a fw and leaves it.
    So I did some research and came up with this sequence. Please suggest
    corrections if you see a mistake. It is always good to have this kind
    of summary handy.

    Summary of Basic PIX\ASA Inspection Sequence and Operations:
    Cisco IOS 6.3

    The PIX\ASA inspection sequence is performed as follows:
    1. As a packet enters an interface, the PIX evaluates the security
    level for the source and destination interfaces. A low-to-high is
    allowed only if there is an access-list that allows the connection and
    a high-to-low is allowed by default unless a specific access-list
    denies it. It there are ACL's present, the packet is checked against
    these here.

    2. Then the packet is checked against the stateful connection table.
    If the packet is part of an already established connection, then it is
    passed forward in order to be routed out and eventually translated if
    specified. If the packet is identified as part of a new session, it
    is passed to the ASA that performs the inbound network translation
    (destination NAT).

    3. ASA performs the inbound network translation (destination NAT) if
    applicable.

    4. The ASA updates the connections table with the packet's connection
    state and the timers are started for that session.

    5. The packet is checked against the Inspections database to
    determine if the connection requires application-level inspection.
    (checks to see if it needs a Fixup)

    6. The packet gets routed to the interface designated by the routing
    table.

    7. At the exit interface, the source translation is performed, if
    specified by using global statements and nat groups.

    8. The packet is sent to the next hop router in the routing table or
    to the final destination if it is present in the local firewall's
    subnets.

    Thanks
    Tom
     
    , Nov 27, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aunt Agatha

    does build-in firewall in router leaves ports open?

    Aunt Agatha, Feb 7, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    2,158
    Boomer
    Feb 7, 2004
  2. JAS
    Replies:
    8
    Views:
    586
    Stan Brown
    Jul 29, 2005
  3. Walter Roberson
    Replies:
    2
    Views:
    467
  4. fred.fm
    Replies:
    0
    Views:
    398
    fred.fm
    Nov 27, 2006
  5. thingy
    Replies:
    14
    Views:
    496
    steve
    Sep 8, 2006
Loading...

Share This Page