Series of Steps to Forward a packet in a Cisco ASA Firewall

Posted by Teacher of Cisco .
  • Agregar a Technorati
  • Agregar a Del.icio.us
  • Agregar a DiggIt!
  • Agregar a Yahoo!
  • Agregar a Google
  • Agregar a Meneame
  • Agregar a Furl
  • Agregar a Reddit
  • Agregar a Magnolia
  • Agregar a Blinklist
  • Agregar a Blogmarks

Series of Steps to Forward a packet in a Cisco ASA Firewall

Series of Steps to Forward a packet in a Cisco ASA Firewall

Posted: 25 Jul 2011 11:21 PM PDT


A normal Layer3 Routing device, when receiving a packet on one of its ingress interfaces, first checks the destination IP address of the packet and then consults its routing table in order to forward the packet to the proper outgoing interface. This is the most basic operation of a router.

A stateful firewall (like the Cisco ASA), on the other hand, has a much more complicated work to do on an incoming packet. There are several steps and decision points that the packet has to go though before being allowed and forwarded by the firewall. This is called "conditional forwarding" because the packet must satisfy several rules and conditions before passing through the firewall.

The diagram below shows a simplified traffic flow of a packet through a Cisco ASA device:

As shown on the figure above, the packet coming from the Input Interface is being checked first if it is a part of an existing connection. If yes, it skips many of the intermediate steps and is only checked if it satisfies the Layer7 inspection rules.

Now, if the packet is a new connection, the firewall needs to store in its state table all the pertinent information of this new connection. Some of the information that is stored in the state table include the source and destination IP addresses, the source and destination port numbers, TCP sequence numbers etc. Since the packet is a new connection, it will have to go through several steps and checks before being forwarded to the output interface.

First the firewall checks if there is a Layer3 route for the destination address of the packet in the routing table. After that, it checks if the Access Control List (ACL) on the input interface allows the specific connection to pass. If this is ok, then it checks to see if there is a NAT rule configured for this specific connection. After that, the device verifies that any Layer7 inspection rules allow the specific connection. After all the previous steps have been satisfied successfully, only then the packet is allowed to exit the output interface.

The 5 biggest IT security mistakes

Posted: 25 Jul 2011 08:12 AM PDT


Like cleaning the windows, IT security can be a thankless task because they only notice when you don't do it. But to get the job done in the era of virtualization, smartphones and cloud computing, you've got to avoid technical and political mistakes. In particular, here are five security mistakes to avoid.

0 comments:

Subscribe to: Post Comments (Atom)
Post a Comment