Packet flow through ASA

ashwinkrishnamr · September 7, 2017, 8:03am

Hi Rene,

Greetings !!

It would be really helpful if you can explain the packet flow through ASA (also when VPN is taken into account) / Order of Operation - version 8.3 and later

ReneMolenaar · September 8, 2017, 3:45pm

Hi @krishnaashwin02,

I have something even better, I’ll let the ASA explain it If you use packet-tracer, it will tell you exactly in what order things will occur. Here’s an example from a site-to-site VPN.

192.168.1.1 is a device on LAN1 that tries to connect to 192.168.2.2 TCP 80 on LAN2:

ASA#packet-tracer input LAN1 tcp 192.168.1.1 12345 192.168.2.2 80     

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.2.3.4 using egress ifc  OUTSIDE

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN1,OUTSIDE) source static LAN1 LAN1 destination static LAN2 LAN2 route-lookup
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.2.2/80 to 192.168.2.2/80

Phase: 4
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (LAN1,OUTSIDE) source static LAN1 LAN1 destination static LAN2 LAN2 route-lookup
Additional Information:
Static translate 192.168.1.1/12345 to 192.168.1.1/12345

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: SFR
Subtype: 
Result: ALLOW
Config:
class-map SFR
 match access-list SFR
policy-map global_policy
 class SFR
  sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN1,OUTSIDE) source static LAN1 LAN1 destination static LAN2 LAN2 route-lookup
Additional Information:

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:       
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 61592555, packet dispatched to next module

Result:
input-interface: LAN1
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

ashwinkrishnamr · September 9, 2017, 2:19pm

Thanks a lot Rene