A normal Layer3 Routing device, when receiving a packet on one of its ingress interfaces, first checks the destination IP address of the packet and then consults its routing table in order to forward the packet to the proper outgoing interface. This is the most basic operation of a router.
A stateful firewall (like the Cisco ASA), on the other hand, has a much more complicated work to do on an incoming packet. There are several steps and decision points that the packet has to go though before being allowed and forwarded by the firewall. This is called “conditional forwarding” because the packet must satisfy several rules and conditions before passing through the firewall.
The diagram below shows a simplified traffic flow of a packet through a Cisco ASA device:
As shown on the figure above, the packet coming from the Input Interface is being checked first if it is a part of an existing connection. If yes, it skips many of the intermediate steps and is only checked if it satisfies the Layer7 inspection rules.
Now, if the packet is a new connection, the firewall needs to store in its state table all the pertinent information of this new connection. Some of the information that is stored in the state table include the source and destination IP addresses, the source and destination port numbers, TCP sequence numbers etc. Since the packet is a new connection, it will have to go through several steps and checks before being forwarded to the output interface.
First the firewall checks if there is a Layer3 route for the destination address of the packet in the routing table. After that, it checks if the Access Control List (ACL) on the input interface allows the specific connection to pass. If this is ok, then it checks to see if there is a NAT rule configured for this specific connection. After that, the device verifies that any Layer7 inspection rules allow the specific connection. After all the previous steps have been satisfied successfully, only then the packet is allowed to exit the output interface.
- Cisco ASA Firewall Packet Tracer for Network Troubleshooting
- How to Pass BGP Sessions through Cisco ASA Firewall (BGP Pass Through)
- Cisco ASA Virtual Firewall Configuration (with Config Example)
- Cisco ASA Master PassPhrase (How to Show Encrypted Password)
- How to Configure Static Routing on Cisco ASA Firewall