Tuesday, August 24, 2010

Cisco ASA order of operations

1. FLOW-LOOKUP- This will check for existing connections. I a connection exists, the flow is automatically allowed

2. ROUTE-LOOKUP - This is the inbound route lookup which includes reverse patch, if enabled.

3. Inbound ACCESS-LIST- Checks for an interface ACL

4. CONN-SETTINGS - Application layer checks (Class maps)

5. IP-OPTIONS- RFC 791

6. NAT

7. Outbound ACCESS-LIST (if an outbound access list exists on the egress interface).

9.FLOW-CREATION

10.ROUTE LOOKUP - Destination route lookup

Posted by Jerome at 5:21 PM
Labels:

2 comments:

  1. In the case of outbound acl's on an egress interface, the acl is applied after the nat. So if you have traffic originating from the inside destination outside with a global nat and an outbound acl on the outside interface, your acl needs to have a source of the global nat, not the real address. -Dustin
    ReplyDelete
  2. Good call. Updated the list
    ReplyDelete

Subscribe to: Post Comments (Atom)