I get questions from clients asking what are the steps involved when a packet enters a fw and leaves it. So I did some research and came up with this sequence. Please suggest corrections if you see a mistake. It is always good to have this kind of summary handy.
Summary of Basic PIX\\ASA Inspection Sequence and Operations:
The PIX\\ASA inspection sequence is performed as follows:
- As a packet enters an interface, the PIX evaluates the security level for the source and destination interfaces. A low-to-high is allowed only if there is an access-list that allows the connection and a high-to-low is allowed by default unless a specific access-list denies it. It there are ACL's present, the packet is checked against these here.
- Then the packet is checked against the stateful connection table. If the packet is part of an already established connection, then it is passed forward in order to be routed out and eventually translated if specified. If the packet is identified as part of a new session, it is passed to the ASA that performs the inbound network translation (destination NAT).
- ASA performs the inbound network translation (destination NAT) if applicable.
- The ASA updates the connections table with the packet's connection state and the timers are started for that session.
- The packet is checked against the Inspections database to determine if the connection requires application-level inspection. (checks to see if it needs a Fixup)
- The packet gets routed to the interface designated by the routing table.
- At the exit interface, the source translation is performed, if specified by using global statements and nat groups.
- The packet is sent to the next hop router in the routing table or to the final destination if it is present in the local firewall's subnets.