CISCO FIREWALL CONNECTION TABLE AND INSPECTION TABLE AND NAT IMPLEMENTATION

Connection Table of Cisco ASA firewall:

Inspect : CBAC,ZBF

When traffic is going out ASA write down the table in the connection table and the traffic comes back
ASA matches the traffic.

The scope of the connection table:

When the traffic is going from one interface to another ASA note down the information in the
connection table.

Connection: Its a part of the connection table then local host table and xlate table

The connection can be of two types:

Unidirectional: traffic will go from source to destination

Bidirectional: traffic will go from source to destination and destination to source.

“Show connection detail” command: it shows the flag information.

Scope of Inspect:  By default, ICMP is not inspected by the ASA, if the ICMP traffic from
inside to outside it will go b’coz form higher security level to lower, but when the return traffic
will come back then ASA checked “is this traffic is inspected” if ICMP is inspected so ASA will
allow the traffic after checking in connection table and inspection table but ASA has not inspected
the ICMP traffic, it will drop the traffic.

To check which protocol are inspected.

We need run the command: “show run policy-map”

If we want to inspect the ICMP globally we need to run the command:

(Config)#Fixup protocol ICMP

PACKET FLOW OF ASA:

On ASA ver pre and post 8.3

8.0 version: It wil check the ACL and then NAT

8.3 and above: It will check first NAT(or it will UN-NAT first) and then check ACL.

NAT (NETWORK ADDRESS TRANSLATION):

STATIC POLICY NAT:

The policy stands for the if and then statement

To understand NAT:

Static NAT is bidirectional

Phase 6

Type:

Subtype: RPF - check

RPF(Reverse path forwarding or failure) check: