Packet flow through the ASA explained

Packet flow through the ASA explained

Lets do it step by step:

  1. Once a packet is reached at the ingress interface, the input counter of the interface is incremented by one. To verify the counters use the command: show interface.
  2. If the connection matches an entry in the internal connection table the flow is moved directly to step number 5.If it does not match and the packet is either a TCP SYN or an UDP then the connection table is updated and the connection counter incremented, otherwise the packet is dropped. To verify the connection table use the command: show conn.
  3. The packet is processed throughout the ACE´s contained in the interface ACL, sequentially. If the packet is permitted it is forward to the next stage, otherwise it is dropped. Either way the ACL hit count is incremented. To verify the ACL use the command: show access-list.
  4. In this stage the packet is verified against the translation rules. If it matches the connection table is update with this entry and the packet moves to the next stage, otherwise the packet is dropped. To verify the translation rules use the command show nat and the translation been done use the command show xlate.
  5. The packet is check through the inspection rules. If it passed the inspection, it is moved forward,  otherwise it is dropped. To verify the inspected protocols use the command show service-policy inspect.
  6. At this point the packet addresses are translated accordingly to the established rules NAT or PAT. The packet is forwarded to Advanced Inspection and Prevention Security Services Module (AIP-SSM)  for IPS related security checks. To check the rules use the command show run nat.
  7. Based on the translation rules or through global route check the packet moves to the egress interface. To check the route lookup use the command show route.
  8. Route lookup is performed. Remember, the egress interface is determined by the translation rule that takes the priority.
  9. With Layer 3 next hop defined the L2 resolution is performed and the frame constructed. To verify resolution use the command show arp.
  10. The packet is transmitted through the wire to its destination.


See you on the next post. Stay good.


2 thoughts on “Packet flow through the ASA explained

Comments are closed.