An inbound TCP SYN packet arrives at the ingress interface of a Cisco ASA 8.2 firewall. The packet is not part
of an established session. The packet reaches the interface’s internal buffer and the input counter is
incremented.
Which of the following actions will occur next? (Select the best answer.)
A.
The packet will be processed by interface ACLs.
B.
The packet is forwarded to the outbound interface.
C.
The packet is subjected to an inspection check.
D.
The packet’s IP header is translated by NAT/PAT.
Explanation:
The inbound Transmission Control Protocol (TCP) SYN packet will be processed by interface access control
lists (ACLs) if it is not part of an established session. A Cisco Adaptive Security Appliance (ASA) 8.2 performs
all of the following checks when a packet arrives on the inbound interface:
– Increments the input counter
– Determines whether the packet is part of an established connection
– If not an established connection, processes the packet by using the interface ACLs
– If not an established connection, verifies the packet for translation rules
– Conducts an inspection of the packet to determine protocol compliance
– Translates the IP header according to Network Address Translation (NAT) rules
– Forwards the packet to the outbound interface
Inbound TCP packets that are not part of an established connection should be SYN packets, which is the first
packet that is sent during TCP’s threeway handshake. Inbound TCP SYN packets are permitted by the
ASA as long as the packet is permitted by an interface ACL rule and is successfully translated by NAT or Port
Address Translation (PAT). The TCP SYNACK packet is the second phase of the TCP threeway handshake? it
is sent by the host that received the SYN packet to the host that is attempting to establish a connection.
Therefore, an ASA will permit an inbound TCP SYNACK packet only if it is part of an established connection.
It is important to note that the Cisco ASA 8.3 and later modify the ASA packet process algorithm. When
configuring NAT for the ASA 8.3 and later, you should use the client’s real IP address instead of the ASA’s
public IP address. Thus, if the ASA in this scenario were an ASA 8.3 or later, the packet’s IP header would be
translated by NAT or PAT prior to being processed by interface ACLs.Cisco: ASA 8.2: Packet Flow through an ASA Firewall: Cisco ASA Packet Process Algorithm