Hi Rene,
Greetings !!
It would be really helpful if you can explain the packet flow through ASA (also when VPN is taken into account) / Order of Operation - version 8.3 and later
Hi Rene,
Greetings !!
It would be really helpful if you can explain the packet flow through ASA (also when VPN is taken into account) / Order of Operation - version 8.3 and later
Hi @krishnaashwin02,
I have something even better, I’ll let the ASA explain it If you use packet-tracer, it will tell you exactly in what order things will occur. Here’s an example from a site-to-site VPN.
192.168.1.1 is a device on LAN1 that tries to connect to 192.168.2.2 TCP 80 on LAN2:
ASA#packet-tracer input LAN1 tcp 192.168.1.1 12345 192.168.2.2 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.2.3.4 using egress ifc OUTSIDE
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN1,OUTSIDE) source static LAN1 LAN1 destination static LAN2 LAN2 route-lookup
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.2.2/80 to 192.168.2.2/80
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN1,OUTSIDE) source static LAN1 LAN1 destination static LAN2 LAN2 route-lookup
Additional Information:
Static translate 192.168.1.1/12345 to 192.168.1.1/12345
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match access-list SFR
policy-map global_policy
class SFR
sfr fail-open
service-policy global_policy global
Additional Information:
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN1,OUTSIDE) source static LAN1 LAN1 destination static LAN2 LAN2 route-lookup
Additional Information:
Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 61592555, packet dispatched to next module
Result:
input-interface: LAN1
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow
Thanks a lot Rene