Cisco ASA Firewall: Packet Flow/Mode of Operation (2024)

Scenario : So here is a packet initiated from Inside to the Outside [ingress to egress].


1) A user who is sitting inside of the network is trying to access a website located at the Internet (outside)

2)The packet hits the inside interface (Ingress) of ASA.

3) Once the packet reached ASA, it will verify whether this is an existing connection by checking its internal connection table. If it is an existing connection, the ACL check (step 4) will be bypassed and move to step 5.

See Also
Network Traffic Monitor - Analyze & Optimize Traffic | SolarWindsCommand to check IPSEC tunnel on ASA 5520Fixing Packet Loss in GamingCisco ASA Packet Drop Troubleshooting

ASA will check for the TCP flag if its a TCP packet. If the packet contains a SYN flag, then the new connection entry will be created in the connection table(connection counter gets incremented). Other than SYN flag, the packet will be discarded and a log entry will be created.

"Remember the 3-way handshake process. SYN/SYN-ACK/ACK. If the TCP connection flags are not in the order as it is intended to be, ASA will simply drop the packet. Most of the scanning/attacks are done by these flag manipulation."

If the packet is a UDP , the connection counter will get incremented by one as well.

4) ASA check the packet again the interface Access Control Lists (ACL). If the packet matches with an allowed ACL entry, it moves forward to the next step. Otherwise, the packet will be dropped. (The ACL hit counter gets incremented when there is a valid ACL match.)

5) Then packet is verified for the translation rules. If a packet pass this check, then a connection entry is created for this flow, and the packet moves forward. Otherwise, the packet gets dropped and a log entry will be created.

See Also
Traffic Logs In ASA

6)The packet is checked for the Inspection policy. This inspection verifies whether or not this specific packet flow is in compliance with the protocol. In ASA we create these inspection checks through MPF (modular policy framework) or through CLI using policy/class maps.

If it passes the inspection check, it is then moves forward to the next step. Otherwise, the packet is dropped and the information is logged.Additional checks will be done if the ASA has a CSC module installed. The packet will be forwarded to that module for further analysis and returns to step 7.

7)Actual Network Address Translation happens at this step. The IP header information is translated as per the NAT/PAT rule . If an IPS module is present, then the packet will be forwarded to IPS module for further check.

8)The packet is forwarded to the Outside (egress) interface based on the translation rules. If no egress interface is specified in the translation rule, then the destination interface is decided based on global route lookup.

9) On the egress interface, the interface route lookup will be performed.

10) Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. Layer 2 rewrite of MAC header happens at this stage.

11) Finally the packet will be forwarded by the ASA to the next hop.

Note: When a destination NAT applicable, then there will be an additional step for that. Otherwise, the order of operation will remain the same.

Cisco ASA Firewall: Packet Flow/Mode of Operation (2024)

FAQs

What is the packet flow of a Cisco ASA firewall? ›

The packet first reached at the ingress interface of the ASA. After reaching to internal buffer of the interface, the input counter of the interface is incremented by one. Cisco ASA first looks at its internal connection table details in order to verify if this is a current connection.

Read On
What are the ASA firewall modes of operation? ›

These modes are Routed mode and Transparent mode. In Routed mode, the device is a Layer 3 device and offers many of the same capabilities as a Cisco router. In Transparent mode, the ASA is a “bump in the wire” and acts mode like a Layer 2 switch.

Discover More Details
How to check traffic flow in asa firewall? ›

NetFlow Analyzer uses flow technologies to analyze the traffic patterns passing through your Cisco ASA firewall. Configuring flows from Cisco ASA provides a set of pre-bundled reports that helps to detect suspicious traffic in the network and allows you to apply ACL or service policies.

Continue Reading
How to check packet flow in Cisco router? ›

Path Analysis is an operations and diagnostic application that traces the connectivity between two specified points on your network, including the physical and logical paths taken by packets flowing between those points. From the CiscoWorks2000 desktop, select Campus Manager >Path Analysis.

See Details
What is the packet trace command in ASA? ›

The packet-tracer command provides detailed information about the packets and how they are processed by the ASA. packet-tracer allows a firewall administrator to inject a virtual packet into the security appliance and track the flow from ingress to egress.

Find Out More
What are the two modes in which Cisco ASA can be configured? ›

The ASA supports two firewall modes: Routed Firewall mode and Transparent Firewall mode.

Tell Me More
How many modes are there in firewall? ›

There are two different types of firewall policy: default allow and default deny. The default allow firewall rule set allows all connections through the firewall unless otherwise stated.

Show Me More
What is the difference between routed mode and transparent mode? ›

In routed mode, the firewall is considered to be an L3 device in the network. It supports multiple interfaces with each interface on a different subnet and can perform network address translation (NAT) between connected networks. In transparent mode, the firewall is an L2 device and not an L3 or routed hop.

Explore More
How to check Cisco ASA firewall throughput? ›

To show throughput on Cisco ASA, you can use the "show interface" command. This command will display detailed information about the interfaces on the ASA, including their current throughput.

Continue Reading
How does traffic flow in a firewall? ›

A firewall functions analogously, looking at each packet of data to determine where it came from and where it is going, or both, and deciding if the packet should be accepted and allowed to continue on its way or if it should be denied or dropped.

Show Me More

What is checkpoint packet flow? ›

Packet flow of Checkpoint firewall is as under : SAM Database-->Anti Spoofing-->Rule or Policy-->Destination NAT-->Route Lookup-->Source NAT-->VPN-->Layer 7 Inspection -->Route. Let's go into detail. Whenever traffic enters checkpoint firewall , how it processes it.

Read The Full Story
What are the steps of packet flow? ›

How Does Packet Flow in Same Network?
  1. In this topology, we have four devices: PC1, PC2, PC3, and PC4. ...
  2. The ARP request packet reaches all devices on the subnet, but only PC4 responds with an ARP reply packet, which contains its MAC address. ...
  3. Now that PC1 knows the MAC address of PC4, it can send the data packet to it.
Feb 21, 2024

See Details
What is a packet firewall and how it operate? ›

Firewalls are appliances that protect networks against external intrusion by screening incoming data and admitting or excluding traffic. Packet filtering firewalls achieve this goal by applying security rules to data packets. If packets pass these tests, they can enter the network.

Get More Info Here
What is packet flow concept? ›

There are simple rules for a packet flow in a network: If the destination host is present in the same network as the source host then the packet will be delivered directly to the destination host using MAC address. Within a network, the packet will be delivered on the basis of MAC address.

Continue Reading
How does Cisco ASA firewall work? ›

ASA in Cisco ASA stands for Adaptive Security Appliance. In brief, Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. It provides proactive threat defense that stops attacks before they spread through the network.

View More
What is the flow of a network packet? ›

In packet switching networks, traffic flow, packet flow or network flow is a sequence of packets from a source computer to a destination, which may be another host, a multicast group, or a broadcast domain.

View Details
What is IP packet flow? ›

The switch forwards the packet to port 4, where PC4 receives it. PC4 checks the destination IP address of the packet and sees that it matches its own IP address. It then processes the data according to the protocol and application. This is how packet flow works in the same network.

See More
Top Articles
The nuclear transportation routes of membrane-bound transcription factors
Binance Referral Code: SYURN6LW, Your commission kickback rate: 20%
*College Writing Instrctr. to edit/format your Novel, Dissertation etc - writing / editing / translation - craigslist
Menda RajKumar on LinkedIn: Exciting News! 🌟 Thrilled to announce that I've joined the amazing team…
Latest Posts
Why Is 2022 Not A Leap Year? | WeatherBug
Frequently Asked Questions on Binance Standard Referral Mode | Binance Support
Article information

Author: Virgilio Hermann JD

Last Updated:

Views: 6069

Rating: 4 / 5 (61 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Virgilio Hermann JD

Birthday: 1997-12-21

Address: 6946 Schoen Cove, Sipesshire, MO 55944

Phone: +3763365785260

Job: Accounting Engineer

Hobby: Web surfing, Rafting, Dowsing, Stand-up comedy, Ghost hunting, Swimming, Amateur radio

Introduction: My name is Virgilio Hermann JD, I am a fine, gifted, beautiful, encouraging, kind, talented, zealous person who loves writing and wants to share my knowledge and understanding with you.