4-25
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter4 Configuring the Transparent or Routed Firewall
Firewall Mode Examples
An Inside User Visits a Web Server Using NAT
Figure 4-10 shows an inside user accessing an outside web server.
Figure4-10 Inside to Outside with NAT
The following steps describe how data moves through the ASA (see Figure4-10):
1. The user on the inside network requests a web page from www.example.com.
2. The ASA receives the packet and adds the source MAC address to the MAC address table, if
required. Because it is a new session, it verifies that the packet is allowed according to the terms of
the security policy (access lists, filters, AAA).
For multiple context mode, the ASA first classifies the packet according to a unique interface.
3. The ASA translates the real address (10.1.2.27) to the mapped address 209.165.201.10.
Because the mapped address is not on the same network as the outside interface, then be sure the
upstream router has a static route to the mapped network that points to the ASA.
4. The ASA then records that a session is established and forwards the packet from the outside
interface.
5. If the destination MAC address is in its table, the ASA forwards the packet out of the outside
interface. The destination MAC address is that of the upstream router, 10.1.2.1.
If the destination MAC address is not in the ASA table, the ASA attempts to discover the MAC
address by sending an ARP request and a ping. The first packet is dropped.
6. The web server responds to the request; because the session is already established, the packet
bypasses the many lookups associated with a new connection.
7. The ASA performs NAT by translating the mapped address to the real address, 10.1.2.27.
Management IP
10.1.2.2
www.example.com
10.1.2.1
Host
10.1.2.27
Internet
Source Addr Translation
209.165.201.1010.1.2.27
Static route on router
to 209.165.201.0/27
through security appliance
191243
Security
appliance