cisco ipsec vpn free banner - Google Search - Google Chrome 2020-02-13 5_34_34 PM (2)
Eric U Ngabonziza

Cisco ASA packet flow for IPsec VPN

The interface that receives the packet is called the ingress interface (Inside) and the interface through which the packet exits is called the egress interface (Outside). When referring to the packet flow through any device, it can be easily simplified by looking at the task in terms of these two interfaces.

Below you can see a diagram explains how Cisco ASA firewall processes every packet that it receives:

To understand better Cisco ASA packet flow, I will use the above diagram as an example and share with you some commands to run.

You can have the following ASA configuration to specify the host IP addresses, security rules, NAT ect…

To observe the traffic flow, you can run the following command:

Then the packet follows these steps:

STEP 1. Packet received:

Packet is reached at the ingress interface (Inside).

STEP 2. Ingress Interface:

Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.

STEP 3. Connection & Access-List:

Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access-control list (ACL) check is bypassed, and the packet is moved forward.

If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check.

If it is not a SYN packet, the packet is dropped, and the event is logged.

The packet is processed as per the interface ACLs. It is verified in sequential order of the ACL entries and if it matches any of the ACL entries with a proper route-lookup; it moves forward. Otherwise, the packet is dropped, and the information is logged. The ACL hit count will be incremented by one when the packet matches the ACL entry.

STEP 4. Inspections checks:

The packet is subjected to an Inspection Check. This inspection verifies whether this specific packet flow follows the protocol. Cisco ASA has a built-in inspection engine that inspects each connection as per its pre-defined set of application-level functionalities. If it passed the inspection, it is moved forward. Otherwise, the packet is dropped, and the information is logged. Additional Security-Checks will be implemented if a CSC module is involved.

STEP 5. Translation Rules:

The packet is verified for the translation rules. If a packet passes through this check, then a connection entry is created for this flow, and the packet moves forward. Otherwise, the packet is dropped, and the information is logged.

The IP header information is translated as per the NAT/PAT rule and checksums are updated accordingly. The packet is forwarded to AIP-SSM for IPS related security checks, when the AIP module is involved.

STEP 6. Route-Lookup:

The packet is forwarded to the egress interface based on the translation rules. If no egress interface is specified in the translation rule, then the destination interface is decided based on global route lookup.

STEP 7. VPN encryption:

On the egress interface, the interface route lookup is performed. Then the VPN encrypts the traffic.

STEP 8. Layer3 route & layer2 resolution:

Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. Layer 2 rewrite of MAC header happens at this stage.

STEP 9. Result:

The packet is transmitted on wire, and Interface counters increment on the egress interface.

AuthorEric Uwonkunda Ngabonziza

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email