This was always been in my mind, What is the traffic flow in ASA? And it has been sometime this question haunting me,
Here is my Answer,
With VPN
and Static NAT
@@@@@@@@@@ 1. Check For Existing Connection (Cisco call it as ASA, LOL we know who invented it.)
2. Dest NAT
3. ACL
4. uAuth (Cut Thru proxy)
5. Source NAT
6. Encrypt (VPN)
7. RPF
8. VPN Flow
9. NAT (Host Limits : I need to put some lights here,Seems to be Connection, Embryonic limit)
10. Flow Creation
And Traffic leaves ASA
I made 4.2.2.2 as https server, just took that IP as I am familiar with that IP ;)
Evidence
@@@@
FW(config)# packet-tracer input inside tcp 172.16.1.xxx 1025 4.2.2.2 443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (outside,inside) 4.2.2.2 72.163.4.161 netmask 255.255.255.255
match ip outside host 72.163.4.161 inside any
static translation to 4.2.2.2
translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface outside
Untranslate 4.2.2.2/0 to 72.163.4.161/0 using netmask 255.255.255.255
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_inside in interface inside
access-list acl_inside extended permit ip any any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: AAA
Subtype: aaa-auth
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 172.16.1.xxx 255.255.255.0
match ip inside 172.16.1.xxx 255.255.255.0 outside any
dynamic translation to pool 1 (60.15.22.xxx [Interface PAT])
translate_hits = 77423, untranslate_hits = 376
Additional Information:
Dynamic translate 172.16.1.101/1024 to 60.15.22.xxx/11278 using netmask 255.255.255.255
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 172.16.1.xxx 255.255.255.0
match ip inside 172.16.1.xxx 255.255.255.0 outside any
dynamic translation to pool 1 (60.15.22.xxx [Interface PAT])
translate_hits = 77423, untranslate_hits = 376
Additional Information:
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (outside,inside) 4.2.2.2 72.163.4.161 netmask 255.255.255.255
match ip outside host 72.163.4.161 inside any
static translation to 4.2.2.2
translate_hits = 0, untranslate_hits = 1
Additional Information:
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (outside,inside) 4.2.2.2 72.163.4.161 netmask 255.255.255.255
match ip outside host 72.163.4.161 inside any
static translation to 4.2.2.2
translate_hits = 0, untranslate_hits = 1
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 80156, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
VPN Without NAT (IP are Diff)
======================
`FW(config)# packet-tracer input inside tcp 172.16.1.xxx 1025 4.2.2.2 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_inside in interface inside
access-list acl_inside extended permit ip any any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: AAA
Subtype: aaa-auth
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 172.16.1.0 255.255.255.0
match ip inside 172.16.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (68.15.22.xxx [Interface PAT])
translate_hits = 77311, untranslate_hits = 373
Additional Information:
Dynamic translate 172.16.1.xxx/1024 to 68.15.22.xxx/65412 using netmask 255.255.255.255
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 172.16.1.0 255.255.255.0
match ip inside 172.16.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (68.15.22.xxx [Interface PAT])
translate_hits = 77311, untranslate_hits = 373
Additional Information:
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 80024, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
I had this in my notes, I commented it now between 1 & 2 :)
Packet Flow Sequence
====================
PIX/ASA - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
---------------------------------------------------------------
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found create a new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
Comment : I believe DST nat should happen here so it it will match the ACL, this is proved in above example
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a connection is created.
10. ROUTE-LOOKUP - [output and adjacency]
