
The [ASA](/asa) uses a particular packet flow order of operations to process packets.  The process algorithm differs somewhat depending upon the version of the ASA.  The packet processing algorithm indicated here is for ASA versions 8.3 and later, and include the participation of the FirePOWER module, if used.

The following diagram describes the process:

![cisco-firepower-packet-flow.excalidraw](/attachments/excalidraw/cisco-firepower-packet-flow.excalidraw.svg)

The process takes place as follows:

-   **Step 1.** A packet is received on a given interface of the Cisco ASA. If a [VPN](/vpn) is configured, the packet is decrypted at this point. If ACL bypass is configured for VPN traffic, the Cisco ASA proceeds to step 5.
    
-   **Step 2.** The Cisco ASA checks to see if there is an existing connection for the source and destination hosts for that specific traffic. If there is an existing connection, the Cisco ASA bypasses the [ACL](/acl) checks and performs application inspection checks and proceeds to step 5.
    
-   **Step 3.** If there is no existing connection for that traffic, the Cisco ASA performs the [NAT](/network-address-translation-nat) checks (or untranslate process).
    
-   **Step 4.** The Cisco ASA allows or denies traffic based on the rules in the configured ACLs.
    
-   **Step 5.** If traffic is allowed, the Cisco ASA performs application inspection.
    
-   **Step 6.** The Cisco ASA forwards the packet to the Cisco ASA FirePOWER module. If promiscuous monitor-only mode is configured, only a copy of the packet is sent to the Cisco ASA FirePOWER module. If the Cisco ASA FirePOWER module is configured in inline mode, the packet is inspected and dropped if it does not conform to security policies. If the packet is compliant with security policies and Cisco ASA FirePOWER module protection capabilities, it is sent back to the ASA for processing.
    
-   **Step 7.** The Cisco ASA determines the egress interface based on NAT or Layer 3 routing.
    
-   **Step 8.** Layer 3 routing is performed.
    
-   **Step 9.** Layer 2 address lookup occurs.
    
-   **Step 10.** The packet is sent to the network.



For the slightly different packet processing algorithm of the ASA up to version 8.2 take a look at [this Cisco documentation](https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html). 


Links:

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKSEC-3020.pdf

https://www.ciscopress.com/articles/article.asp?p=2730336&seqNum=7

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html

ASA packet processing algorithm

ACL log update threshold

ACL logging matched packets

ACL wildcard mask

ACLs Filtering Locally Generated Traffic

ARP - Message Header and Payload

ARP - determining the next hop MAC address

ARP - promiscuous mode

ARP - what is Proxy ARP

ARP table default timeout

ARP table

ASA - ASDM Cipher security levels

ASA - ASDM

ASA - AnyConnect Management VPN Tunnel

ASA - Clientless VPN

ASA - Crypto key size for Version 9.16

ASA - IKE proposal parameters

ASA - RADIUS common password

ASA - Using FQDN in an ACL for VPN split tunnelling

ASA - VTI VPN and MSS

ASA - crypto hardware processing

ASA - emulating an ASA device

ASA - multiple AnyConnect packages

ASA - multiple VPNs between the same endpoints

ASA - number of crypto maps per interface

ASA - object group protocol vs service

ASA - split-tunnel-policy command

ASA - using FQDN in an ACL

ASA CTM ipsec poll ctl DU_IOCTL_RESUME_POLL ioctl failed error

ASA Contexts operate as separate virtual devices

ASA DDoS protection

ASA DMZ

ASA ECMP static routing

ASA Manual NAT and Auto NAT

ASA NAT control

ASA NAT port forwarding multiple ports to same IP

ASA NAT with DHCP assigned IP address on the  outside interface

ASA NAT with multiple inside subnets

ASA Site-to-Site IKEv1 IPSec VPN recv errors

ASA Static one to one NAT on a range of addresses

ASA Troubleshoot HTTP and ASDM access

ASA VPN with overlapping IP address spaces

ASA active-standby failover preemption

ASA and Firepower reimaging

ASA crypto map and tunnel group preshared keys

ASA group policies

ASA implicit rule

ASA limit CLI and ASDM access to specific users

ASA prerequisites for high availability

ASA redirect IP SLA messages to log buffer

ASA redundant interface

ASA security levels

ASA syslog logging in multiple context mode

ASA to Firepower migration

ASA troubleshooting IPSec

ASA tunnel-group

ASA understanding version numbers

ASA what triggers an active-standby failover

ASA won't respond to pings from different subnet

Anycast

Automation - Ansible connection plugins

BFD - intervals and timers

BFD - with multiple routing protocols

BFD echo mode and operation details

BFD how an administrative change differs from a failure

BFD one-arm echo

BGP - 4-byte ASN Backward Compatibility

BGP - AFI and SAFI

BGP - AS_Path filtering use cases

BGP - AS_SET and AS_CONFED_SET are deprecated

BGP - Accumulated IGP metric

BGP - Atomic Aggregate Attribute

BGP - Attributes and path selection

BGP - Autonomous System (AS)

BGP - Autonomous System Number

BGP - BGP Algorithm within confederations

BGP - Discontiguous Autonomous Systems

BGP - ECMP for specific prefixes

BGP - End-of-RIB marker

BGP - FSM - Active state

BGP - Finite State Machine (FSM)

BGP - Flowspec

BGP - Graceful Restart Mechanism

BGP - Handling Multiple Communities on a Single Route

BGP - IGP-BGP redistribution best practices

BGP - Labeled Unicast

BGP - Large BGP communities

BGP - Leaking more specific routes

BGP - Loop Prevention

BGP - MED vs AS Prepending

BGP - Multipath Attribute Prerequisites

BGP - Network Layer Reachability Information (NLRI)

BGP - Next Hop Address Tracking vs Route Dampening

BGP - Outbound Route Filtering

BGP - RRs vs confederations

BGP - Synchronization Rule

BGP - TCP Peering Session Process