Chinaunix首页 | 论坛 | 博客
  • 博客访问: 146730
  • 博文数量: 30
  • 博客积分: 1375
  • 博客等级: 中尉
  • 技术积分: 310
  • 用 户 组: 普通用户
  • 注册时间: 2005-07-18 14:07
文章分类

全部博文(30)

文章存档

2010年(2)

2009年(2)

2007年(1)

2006年(18)

2005年(7)

我的朋友

分类: 网络与安全

2010-05-26 10:57:17

一直搞不清楚ASA包过滤的顺序,查了一下国外的网站,从一个哥们的blog里找到了(http://www.ciskoblog.com/2010/03/asapix-order-of.html)。

Packet Flow Sequence
====================
PIX/ASA - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
---------------------------------------------------------------
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found create a new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a connection is created.
10. ROUTE-LOOKUP - [output and adjacency] -

Much thanks to Joshua Walton for forwarding this info over to me - handy reference:

====================
Packet Flow Sequence
====================


PIX/ASA - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
---------------------------------------------------------------
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found create a new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a connection is created.
10. ROUTE-LOOKUP - [output and adjacency] -


PIX/ASA - VPN - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
---------------------------------------------------------------
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found create a new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. VPN - [encrypt] -
9. VPN - [ipsec-tunnel-flow] -
10. IP-OPTIONS - [] -
11. FLOW-CREATION - [] - If everything passes up until this point a connection is created.
12. FLOW-LOOKUP - [] - On the new header
13. ACCESS-LIST - [] - On the new header
14. FLOW-CREATION - [] -
15. ROUTE-LOOKUP - [output and adjacency] 


ASA/PIX - Outside (Lower SEC_Level) to Inside (Higher Sec_Lev)
-----------------------------------------------------------
1. FLOW-LOOKUP - [] - Check for existing connections, if none found create a new connection.
2. UN-NAT - [static] -
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [rpf-check] -
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a connection is created.
10. ROUTE-LOOKUP - [output and adjacency] -


下面的部分是关于ASA的NAT操作顺序:

  • nat 0 access-list (nat-exempt)
  • match against existing xlates
  • static
    static nat with and without access-list (first match)
    static pat with and without access-list (first match)
  • nat
    a) nat access-list (first match)
    Note: nat 0 access-list is not part of this command.
    b) nat (best match) Note: When choosing a global address from multiple pools withthe same nat id, the following order is tried
    i) if the id is 0, create an identity xlate.
    ii) use the global pool for dynamic NAT
    iii) use the global pool for dynamic PAT
  • Order of NAT Commands Used to Match Real Addresses

    The adaptive security appliance matches real addresses to NAT commands in the following order:
    1. NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.
    2. Static NAT and Static PAT (regular and policy) (static)—In order, until the first match. Static identity NAT is included in this category.
    3. Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are allowed.
    4. Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an
    interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the adaptive security appliance.

    阅读(3041) | 评论(0) | 转发(0) |
    给主人留下些什么吧!~~