why and how firewall respond to ip addresses other ips other then the outside ips of the interface

Posted on 2014-08-07
Last Modified: 2014-08-10
got a ASA 5505
let's say ISP have provided ips to use it on outside interface
just want understand why and how firewall respond to ip addresses other ips other then the outside ips of the interface

firewall --- >e0- (outside)
firewall ---> (inside)
what and how firewall will respond to other ips in the same subnet , what config i need to make on the firewall
I want firewall to respond to to pings

Please can you help
Question by:mohannitin
    LVL 8

    Expert Comment


    Author Comment

    i want firewall to respond to different ip then the outside interface ip which i want to nat it to internal ip lets say switch
    LVL 3

    Accepted Solution

    You want to add NAT registries to the outside interface:

    object network NatedServer
    host INTERNAL_IP
    nat (inside,outside) static service tcp INTERNAL_PORT EXTERNAL_PORT

    Open in new window being the IP you've mentioned

    Author Comment

    do i need to updated /add any access -list ?

    Author Comment

    whats the process
    firewall outside interface receive the packet from isp for
    firewall should drop the packet as it is not configured anywhere on the firewall ?
    also there is not route for it
    does it check the nat rule before responding the ISP ?
    LVL 3

    Assisted Solution

    The ASA receives the packet from the ISP to the destination. If you don't have the nat rule, the ASA discards the packet. otherwise it will send it to the internal address defined by your nat rule, such as 10.252.15.X

    The ASA processing order is:

    1. Packet is reached at the ingress interface.

    2. Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.

    3. Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access-control list (ACL) check is bypassed, and the packet is moved forward.

    If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged.

    4. The packet is processed as per the interface ACLs. It is verified in sequential order of the ACL entries and if it matches any of the ACL entries, it moves forward. Otherwise, the packet is dropped and the information is logged. The ACL hit count will be incremented by one when the packet matches the ACL entry.

    5. The packet is verified for the translation rules. If a packet passes through this check, then a connection entry is created for this flow, and the packet moves forward. Otherwise, the packet is dropped and the information is logged.

    6. The packet is subjected to an Inspection Check. This inspection verifies whether or not this specific packet flow is in compliance with the protocol. Cisco ASA has a built-in inspection engine that inspects each connection as per its pre-defined set of application-level functionalities. If it passed the inspection, it is moved forward. Otherwise, the packet is dropped and the information is logged.
    Additional Security-Checks will be implemented if a CSC module is involved.

    7. The IP header information is translated as per the NAT/PAT rule and checksums are updated accordingly. The packet is forwarded to AIP-SSM for IPS related security checks, when the AIP module is involved.

    8. The packet is forwarded to the egress interface based on the translation rules. If no egress interface is specified in the translation rule, then the destination interface is decided based on global route lookup.

    9. On the egress interface, the interface route lookup is performed. Remember, the egress interface is determined by the translation rule that will take the priority.

    10. Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. Layer 2 rewrite of MAC header happens at this stage.

    11. The packet is transmitted on wire, and Interface counters increment on the egress interface.

    Author Closing Comment

    thanks man

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    Is your computer hacked? learn how to detect and delete malware in your PC
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now