Last Updated on August 2, 2021 by Admin
An inbound TCP packet arrives at the ingress interface of a Cisco ASA 8.2 firewall. The packet is part of an established session. The packet reaches the interface’s internal buffer and the input counter is incremented.
Which of the following actions will occur next? (Select the best answer.)
- The packet will be processed by interface ACLs.
- The packet is forwarded to the outbound interface.
- The packet is subjected to an inspection check.
- The packet’s IP header is translated by NAT/PAT.
Because the Transmission Control Protocol (TCP) packet in this scenario is part of an established session, the packet will be subjected to an inspection check after it reaches the interface’s internal buffer and the input counter is incremented. A Cisco Adaptive Security Appliance (ASA) 8.2 performs all of the following checks when a packet arrives on the inbound interface:
– Increments the input counter
– Determines whether the packet is part of an established connection
– If not an established connection, processes the packet by using the interface access control lists (ACLs)
– If not an established connection, verifies the packet for translation rules
– Conducts an inspection of the packet to determine protocol compliance
– Translates the IP header according to Network Address Translation (NAT) rules
– Forwards the packet to the outbound interface
It is important to note that the Cisco ASA 8.3 and later modify the ASA packet process algorithm. When configuring NAT for the ASA 8.3 and later, you should use the client’s real IP address instead of the ASA’s public IP address. Thus, if the ASA in this scenario were an ASA 8.3 or later, the packet’s IP header would be translated by NAT or Port Address Translation (PAT) prior to being processed by interface ACLs.
Inbound TCP packets that are not part of an established connection should be SYN packets, which is the first packet that is sent during TCP’s three-way handshake. Inbound TCP SYN packets are permitted by the ASA as long as the packet is permitted by an interface ACL rule and is successfully translated by NAT or PAT. The TCP SYNACK packet is the second phase of the TCP three-way handshake? it is sent by the host that received the SYN packet to the host that is attempting to establish a connection. Therefore, an ASA will permit an inbound TCP SYNACK packet only if it is part of an established connection.