Hi Asi,
Here’s a good document from Cisco that explains the “order of operation” for the ASA:
The packet tracer tool on the ASA is also great to answer this question. For example:
ASA# packet-tracer input INSIDE tcp 192.168.1.1 50001 1.2.3.4 80
This will show us the packet flow for a host that is using IP address 192.168.1.1 and who wants to connect to TCP port 80 on 1.2.3.4. Here’s the result:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.1 using egress ifc OUTSIDE
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network INSIDE
nat (INSIDE,OUTSIDE) dynamic interface
Additional Information:
Dynamic translate 192.168.1.1/50001 to 10.10.10.254/50001
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match access-list SFR_REDIRECT
policy-map global_policy
class SFR
sfr fail-open
service-policy global_policy global
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1017213, packet dispatched to next module
You can see that the access-list is checked BEFORE NAT is applied. If your packet doesn’t match the access-list then it will be dropped before NAT translation occurs.
Hope this helps.
Rene