1-19
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance
VPN Functional Overview
–
Performing the access list checks
–
Performing route lookups
–
Allocating NAT translations (xlates)
–
Establishing sessions in the “fast path”
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are
passed on to the control plane path. Layer 7 inspection engines are required for protocols that have
two or more channels: a data channel, which uses well-known port numbers, and a control channel,
which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
• Is this an established connection?
If the connection is already established, the adaptive security appliance does not need to re-check
packets; most matching packets can go through the “fast” path in both directions. The fast path is
responsible for the following tasks:
–
IP checksum verification
–
Session lookup
–
TCP sequence number check
–
NAT translations based on existing sessions
–
Layer 3 and Layer 4 header adjustments
For UDP or other connectionless protocols, the adaptive security appliance creates connection state
information so that it can also use the fast path.
Data packets for protocols that require Layer 7 inspection can also go through the fast path.
Some established session packets must continue to go through the session management path or the
control plane path. Packets that go through the session management path include HTTP packets that
require inspection or content filtering. Packets that go through the control plane path include the
control packets for protocols that require Layer 7 inspection.
VPN Functional Overview
A VPN is a secure connection across a TCP/IP network (such as the Internet) that appears as a private
connection. This secure connection is called a tunnel. The adaptive security appliance uses tunneling
protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or
receive them through the tunnel, and unencapsulate them. The adaptive security appliance functions as
a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other
end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive
encapsulated packets, unencapsulate them, and send them to their final destination. The adaptive security
appliance invokes various standard protocols to accomplish these functions.
The adaptive security appliance performs the following functions:
• Establishes tunnels
• Negotiates tunnel parameters
• Authenticates users
• Assigns user addresses
• Encrypts and decrypts data
• Manages security keys
To Next Page
Loading...
Need help?
General
