Cisco ASA Access-List

Hi Asi,

Here’s a good document from Cisco that explains the “order of operation” for the ASA:

Cisco ASA Packet Flow

The packet tracer tool on the ASA is also great to answer this question. For example:

ASA# packet-tracer input INSIDE tcp 192.168.1.1 50001 1.2.3.4 80

This will show us the packet flow for a host that is using IP address 192.168.1.1 and who wants to connect to TCP port 80 on 1.2.3.4. Here’s the result:

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.1 using egress ifc  OUTSIDE

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network INSIDE
 nat (INSIDE,OUTSIDE) dynamic interface
Additional Information:
Dynamic translate 192.168.1.1/50001 to 10.10.10.254/50001

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SFR
Subtype: 
Result: ALLOW
Config:
class-map SFR
 match access-list SFR_REDIRECT
policy-map global_policy
 class SFR
  sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:       
Additional Information:
New flow created with id 1017213, packet dispatched to next module

You can see that the access-list is checked BEFORE NAT is applied. If your packet doesn’t match the access-list then it will be dropped before NAT translation occurs.

Hope this helps.

Rene