4-19
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter4 Configuring the Transparent or Routed Firewall
Firewall Mode Examples
5. When www.example.com responds to the request, the packet goes through the ASA, and because
the session is already established, the packet bypasses the many lookups associated with a new
connection. The ASA performs NAT by translating the global destination address to the local user
address, 10.1.2.27.
6. The ASA forwards the packet to the inside user.
An Outside User Visits a Web Server on the DMZ
Figure 4-4 shows an outside user accessing the DMZ web server.
Figure4-4 Outside to DMZ
The following steps describe how data moves through the ASA (see Figure4-4):
1. A user on the outside network requests a web page from the DMZ web server using the global
destination address of 209.165.201.3, which is on the outside interface subnet.
2. The ASA untranslates the destination address to the local address 10.1.1.3.
3. The ASA receives the packet and because it is a new session, the ASA verifies that the packet is
allowed according to the terms of the security policy (access lists, filters, AAA).
For multiple context mode, the ASA first classifies the packet according to either a unique interface
or a unique destination address associated with a context; the destination address is associated by
matching an address translation in a context. In this case, the classifier “knows” that the DMZ web
server address belongs to a certain context because of the server address translation.
4. The ASA then adds a session entry to the fast path and forwards the packet from the DMZ interface.
Web Server
10.1.1.3
User
209.165.201.2
10.1.1.110.1.2.1
Dest Addr Translation
209.165.201.3 10.1.1.13
Outside
Inside DMZ
92406