If no egress interface is specified in the translation rule, then the destination interface is decided based on global route lookup.ĩ) On the egress interface, the interface route lookup will be performed.ġ0) Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. If an IPS module is present, then the packet will be forwarded to IPS module for further check.Ĩ)The packet is forwarded to the Outside (egress) interface based on the translation rules. The IP header information is translated as per the NAT/PAT rule. The packet will be forwarded to that module for further analysis and returns to step 7.ħ)Actual Network Address Translation happens at this step. Otherwise, the packet is dropped and the information is logged.Additional checks will be done if the ASA has a CSC module installed. If it passes the inspection check, it is then moves forward to the next step. In ASA we create these inspection checks through MPF (modular policy framework) or through CLI using policy/class maps. This inspection verifies whether or not this specific packet flow is in compliance with the protocol. Otherwise, the packet gets dropped and a log entry will be created.Ħ)The packet is checked for the Inspection policy. If a packet pass this check, then a connection entry is created for this flow, and the packet moves forward. (The ACL hit counter gets incremented when there is a valid ACL match.)ĥ) Then packet is verified for the translation rules. If the packet matches with an allowed ACL entry, it moves forward to the next step. If the packet is a UDP, the connection counter will get incremented by one as well.Ĥ) ASA check the packet again the interface Access Control Lists (ACL). Most of the scanning/attacks are done by these flag manipulation."
If the TCP connection flags are not in the order as it is intended to be, ASA will simply drop the packet.
Other than SYN flag, the packet will be discarded and a log entry will be created. If the packet contains a SYN flag, then the new connection entry will be created in the connection table(connection counter gets incremented). If it is an existing connection, the ACL check (step 4) will be bypassed and move to step 5.ĪSA will check for the TCP flag if its a TCP packet. ġ) A user who is sitting inside of the network is trying to access a website located at the Internet (outside)Ģ)The packet hits the inside interface (Ingress) of ASA.ģ) Once the packet reached ASA, it will verify whether this is an existing connection by checking its internal connection table. Scenario : So here is a packet initiated from Inside to the Outside.
0 kommentar(er)
