Vpn functional overview – Cisco ASA 5505 User Manual

1-28

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 1 Introduction to the Cisco ASA 5500 Series

VPN Functional Overview

If it is a new connection, the ASA has to check the packet against access lists and perform other
tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the
session goes through the “session management path,” and depending on the type of traffic, it might
also pass through the “control plane path.”

The session management path is responsible for the following tasks:

–

Performing the access list checks

–

Performing route lookups

–

Allocating NAT translations (xlates)

–

Establishing sessions in the “fast path”

Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are
passed on to the control plane path. Layer 7 inspection engines are required for protocols that have
two or more channels: a data channel, which uses well-known port numbers, and a control channel,
which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.

•

Is this an established connection?

If the connection is already established, the ASA does not need to re-check packets; most matching
packets can go through the “fast” path in both directions. The fast path is responsible for the
following tasks:

–

IP checksum verification

–

Session lookup

–

TCP sequence number check

–

NAT translations based on existing sessions

–

Layer 3 and Layer 4 header adjustments

For UDP or other connectionless protocols, the ASA creates connection state information so that it
can also use the fast path.

Data packets for protocols that require Layer 7 inspection can also go through the fast path.

Some established session packets must continue to go through the session management path or the
control plane path. Packets that go through the session management path include HTTP packets that
require inspection or content filtering. Packets that go through the control plane path include the
control packets for protocols that require Layer 7 inspection.

VPN Functional Overview

A VPN is a secure connection across a TCP/IP network (such as the Internet) that appears as a private
connection. This secure connection is called a tunnel. The ASA uses tunneling protocols to negotiate
security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through
the tunnel, and unencapsulate them. The ASA functions as a bidirectional tunnel endpoint: it can receive
plain packets, encapsulate them, and send them to the other end of the tunnel where they are
unencapsulated and sent to their final destination. It can also receive encapsulated packets,
unencapsulate them, and send them to their final destination. The ASA invokes various standard
protocols to accomplish these functions.

The ASA performs the following functions:

•

Establishes tunnels

•

Negotiates tunnel parameters