4-20
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter4 Configuring the Transparent or Routed Firewall
Firewall Mode Examples
5. When the DMZ web server responds to the request, the packet goes through the ASA and because
the session is already established, the packet bypasses the many lookups associated with a new
connection. The ASA performs NAT by translating the local source address to 209.165.201.3.
6. The ASA forwards the packet to the outside user.
An Inside User Visits a Web Server on the DMZ
Figure 4-5 shows an inside user accessing the DMZ web server.
Figure4-5 Inside to DMZ
The following steps describe how data moves through the ASA (see Figure4-5):
1. A user on the inside network requests a web page from the DMZ web server using the destination
address of 10.1.1.3.
2. The ASA receives the packet and because it is a new session, the ASA verifies that the packet is
allowed according to the terms of the security policy (access lists, filters, AAA).
For multiple context mode, the ASA first classifies the packet according to either a unique interface
or a unique destination address associated with a context; the destination address is associated by
matching an address translation in a context. In this case, the interface is unique; the web server
IP address does not have a current address translation.
3. The ASA then records that a session is established and forwards the packet out of the DMZ interface.
4. When the DMZ web server responds to the request, the packet goes through the fast path, which lets
the packet bypass the many lookups associated with a new connection.
Web Server
10.1.1.3
User
10.1.2.27
209.165.201.2
10.1.1.110.1.2.1
Inside DMZ
Outside
92403