An inside user visits a web server on the dmz – Cisco ASA 5505 User Manual

Page 192

Advertising
background image

4-20

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 4 Configuring the Transparent or Routed Firewall

Firewall Mode Examples

5.

When the DMZ web server responds to the request, the packet goes through the ASA and because
the session is already established, the packet bypasses the many lookups associated with a new
connection. The ASA performs NAT by translating the local source address to 209.165.201.3.

6.

The ASA forwards the packet to the outside user.

An Inside User Visits a Web Server on the DMZ

Figure 4-5

shows an inside user accessing the DMZ web server.

Figure 4-5

Inside to DMZ

The following steps describe how data moves through the ASA (see

Figure 4-5

):

1.

A user on the inside network requests a web page from the DMZ web server using the destination
address of 10.1.1.3.

2.

The ASA receives the packet and because it is a new session, the ASA verifies that the packet is
allowed according to the terms of the security policy (access lists, filters, AAA).

For multiple context mode, the ASA first classifies the packet according to either a unique interface
or a unique destination address associated with a context; the destination address is associated by
matching an address translation in a context. In this case, the interface is unique; the web server
IP address does not have a current address translation.

3.

The ASA then records that a session is established and forwards the packet out of the DMZ interface.

4.

When the DMZ web server responds to the request, the packet goes through the fast path, which lets
the packet bypass the many lookups associated with a new connection.

Web Server

10.1.1.3

User

10.1.2.27

209.165.201.2

10.1.1.1

10.1.2.1

Inside

DMZ

Outside

92403

Advertising