Home > Articles > Introduction to and Design of Cisco ASA with FirePOWER Services

Introduction to and Design of Cisco ASA with FirePOWER Services

Chapter Description

In this chapter from Cisco Next-Generation Security Solutions: All-in-one Cisco ASA Firepower Services, NGIPS, and AMP, authors Omar Santos, Panos Kampanakis, and Aaron Woland provide an introduction to the Cisco ASA with FirePOWER Services solution. It also provides design guidance and best practices for deploying Cisco ASA with FirePOWER Services.

Cisco ASA FirePOWER Packet Processing Order of Operations

When the Cisco ASA FirePOWER module is deployed, the Cisco ASA processes all ingress packets against access control lists (ACLs), connection tables, Network Address Translation (NAT), and application inspections before traffic is forwarded to the FirePOWER Services module. In order for the Cisco ASA to redirect packets to the Cisco ASA FirePOWER module, you need to configure redirection policies using the Cisco ASA Modular Policy Framework (MPF), as illustrated in Figure 2-14.

Figure 2-14

Figure 2-14 Cisco ASA MPF, Redirecting Traffic to the Cisco ASA FirePOWER Module

Figure 2-15 shows the Cisco ASA packet processing order of operations.

Figure 2-15

Figure 2-15 The Cisco ASA Packet Processing Order of Operations

The following steps are illustrated in Figure 2-15:

  • Step 1. A packet is received on a given interface of the Cisco ASA. If a VPN is configured, the packet is decrypted at this point. If ACL bypass is configured for VPN traffic, the Cisco ASA proceeds to step 5.

  • Step 2. The Cisco ASA checks to see if there is an existing connection for the source and destination hosts for that specific traffic. If there is an existing connection, the Cisco ASA bypasses the ACL checks and performs application inspection checks and proceeds to step 5.

  • Step 3. If there is no existing connection for that traffic, the Cisco ASA performs the NAT checks (or untranslate process).

  • Step 4. The Cisco ASA allows or denies traffic based on the rules in the configured ACLs.

  • Step 5. If traffic is allowed, the Cisco ASA performs application inspection.

  • Step 6. The Cisco ASA forwards the packet to the Cisco ASA FirePOWER module. If promiscuous monitor-only mode is configured, only a copy of the packet is sent to the Cisco ASA FirePOWER module. If the Cisco ASA FirePOWER module is configured in inline mode, the packet is inspected and dropped if it does not conform to security policies. If the packet is compliant with security policies and Cisco ASA FirePOWER module protection capabilities, it is sent back to the ASA for processing.

  • Step 7. The Cisco ASA determines the egress interface based on NAT or Layer 3 routing.

  • Step 8. Layer 3 routing is performed.

  • Step 9. Layer 2 address lookup occurs.

  • Step 10. The packet is sent to the network.

Figure 2-16 shows the packet flow in the Cisco ASA 5585-X.

Figure 2-16

Figure 2-16 The Packet Flow in the Cisco ASA 5585-X

In Cisco ASA 5585-X appliances, the SSP running Cisco ASA software processes all ingress and egress packets. No packets are directly processed by the Cisco ASA FirePOWER module (SSP) except for the Cisco ASA FirePOWER module management port.

8. Cisco ASA FirePOWER Services and Failover | Next Section Previous Section

There are currently no related articles. Please check back later.