Upload
rajan-sharma
View
19
Download
0
Embed Size (px)
DESCRIPTION
packet flow through Cisco ASA deployed in transparent mode
Citation preview
1. In Transparent mode that ASA finds out the egree interface on the basis of the Mac-address-table instead of the route-lookup.2. ASA does perform if it the traffic is generating on the ASA or the if we have a NAT enable for the Given: When the ASA is working in the transparent mode then by default ARP are allowed in both the directions, with the access-list. However if someone want to control the ARP traffic then that can be done using the ARP inspection. For the Layer 3 and above traffic which is traversing from the Lower to higher security zone, we need to put the access-list on the low security interface. Traffic not supported by the ASA in transparent mode: CDP packet, IS-IS traffic, Does allow BPDU, so that it prevents loops when using STP.
Packet flow examples:
Source is located on the higher security zone and destination is at lower security zone.
user tries to access a destination on the Internet, he send the packet, Packet makes to the asa,asa adds the entry to is mac address-table, it then performs all the security checks.
Then the ASA creates a connection for this, assuming destination mac addres is in the ASA mac-address-table, it wouldthen sends the packet to the destination(gateway). If the destinations mac is not known, then it tries to find out that using arp-request and a ping. this would drop the first packet.
When the server on the outside reponds, it would be allowed because there exists a connection for that.