Shulou(Shulou.com)06/01 Report--

Brief introduction of documentation:

The key point of the order in which ASA handles two-way traffic is whether there is a session, the order of processing by different manufacturers is different, and the processing order of appendix juniper and huawei firewall

When processing packets from or to the internal and external network, the ASA device undergoes a series of operations such as route lookup, limiting the number of host sessions, matching the packet with the configured access control list (ACL), and so on.

Depending on the interface that receives the traffic (the direction of the traffic), ASA handles these operations in a different order. The following is the sequence of operations that ASA goes through when it receives a packet with a destination address of a host on the outside interface from the Inside interface.

The packet is received from the interface: Inside.

Lookup stream: does this packet belong to an entry of an existing data stream?

Find routes: match the destination IP address of the packet with the routing information of the ASA routing table, and perform the longest mask lookup on the routing table to find the matching route.

Access control list: matches the packet to the access control list configured in the receive path.

IP option (Modular Policy Framework [MPF]): matches packets with configured MPF policies (quality of service, semi-connection, etc.).

Match × × crypto: does this packet access another host through a × × tunnel?

NAT: performs an NAT transformation on the fields in the packet based on the configured NAT rules.

NAT host restrictions: is this packet subject to any restrictions and thus discarded (for example, semi-open connections)?

IP option (MPF): matches the packet to the configured MPF policy (QoS, semi-connected, and so on).

Establish a flow: if the packet belongs to a new stream, create a new data flow entry for it on the device.

Send a packet from this interface: Outside.

The following shows the order in which ASA takes action when ASA receives a packet from the Outside interface and the destination address of the packet is the host of a network connected to the internal interface.

The packet is received from the interface: Outside.

Find the stream.

Find a route.

Access control list.

IP option (MPF).

Match × × crypto.

NAT (reverse path Lookup [RPF]): is the interface in the routing table in the exit direction of the best route that matches the source IP address of the packet the same as the interface in which the ASA receives this packet?

NAT restrictions on host sessions.

Find NAT.

Send a packet from the interface: Inside.

Packet processing flowchart in Cisco official documentation

Appendix:

Juniper message processing order: the difference with Cisco is that it matches the NAT first, then finds the route, and then matches the security policy.

Huawei message processing sequence: consistent with Cisco's overall process

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.