====================
Packet Flow Sequence
====================
PIX/ASA - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found create a
new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a connection
is created.
10. ROUTE-LOOKUP - [output and adjacency] -
Much thanks to Joshua Walton for forwarding this info over to me - handy reference:
====================
Packet Flow Sequence
====================
PIX/ASA - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found create a
new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a connection
is created.
10. ROUTE-LOOKUP - [output and adjacency] -
PIX/ASA - VPN - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found
create a
new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. VPN - [encrypt] -
9. VPN - [ipsec-tunnel-flow] -
10. IP-OPTIONS - [] -
11. FLOW-CREATION - [] - If everything passes up until this point a
connection
is created.
12. FLOW-LOOKUP - [] - On the new header
13. ACCESS-LIST - [] - On the new header
14. FLOW-CREATION - [] -
15. ROUTE-LOOKUP - [output and adjacency]
ASA/PIX - Outside (Lower SEC_Level) to Inside (Higher Sec_Lev)
1. FLOW-LOOKUP - [] - Check for existing connections, if none found
create a
new connection.
2. UN-NAT - [static] -
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [rpf-check] -
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a
connection
is created.
10. ROUTE-LOOKUP - [output and adjacency] -
=========================================================
Cisco Order of NAT Commands Used to Match Local Addresses
=========================================================
The security appliance matches real addresses to NAT commands in the following order:
1. NAT exemption (nat 0 access-list)?[Inbound or Outbound] - In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.
2. Static NAT and Static PAT (regular and policy) (static)?[Inbound or Outbound] - In order, until the first match. Static identity NAT is included in this category.
3. Policy dynamic NAT (nat access-list)?[Inbound or Outbound] - In order, until the first match. Overlapping addresses are allowed.
4. Regular dynamic NAT (nat)?[Outbound Only] - Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the security appliance.
If you configure multiple global statements on the same NAT ID, the global statements are used in this order:
1. No global if using nat 0 (identity NAT).
2. Dynamic NAT global.
3. PAT global.
==================
Rules to implement
==================
===============================
Checked the routes [show route]
===============================
===================================================
Checked the interface security levels [show nameif]
===================================================
# Note the flow of traffic
-----------------------------------------------------------------------------------------
Traffic is going from lower/higher to lower/higher security level
-----------------------------------------------------------------------------------------
=======================================================
Checked the latest access-group [show run access-group]
=======================================================
# Check the current ACL's and determine what rules need to be added, add an explaination below and in the box(s) place the rules to be added
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
======================================================================================
Check for any existing rules that might already be in place [show access-list acl_xxx]
======================================================================================
=================================================
Checked the NATS [show run static] [show run nat]
=================================================
# Check the current NAT's and determine what needs to be added, add an explaination below and in the box(s) place the NAT's to be added
--------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------
===========================================================================================
Back up and save config [write mem] [write net :FWxxxxxx-YYYYMMDD--.cfg]
===========================================================================================
================================
Added the following to
================================
incremented the acl to
--------------------------------
Removed old acl's [clear configure access-list ]
---------------------------------------------------------
# Keep a maximum of 3 backup acl's, the current one plus three more.
===========================================================================================
Back up and save config [write mem] [write net :FWxxxxxx-YYYYMMDD--.cfg]
===========================================================================================
No comments:
Post a Comment