1.1.0/24, but they have been split in different
Layer 2 VLANs because all the devices in the diagram are connected into the same switch. Client workstations
and the inside interface of Security Appliance are set in VLAN 10, and the upstream router and outside interface
are set to VLAN 20. Note that if clients and all devices on both sides are connected to separate switches, and
the switches are not connected to each other in any way, the VLAN numbers can be the same, or anything for
that matter, because they are independent and do not interconnect.
Stateful Inspection
Every inbound packet is inspected against the adaptive security algorithm and the connection state information
to decide whether to allow or deny the packet. Like the PIX and ASA Security Appliance, a stateful firewall
checks the state of a packet as follows:
Is this a new connection?
If the arriving packet is part of a new connection, the Adaptive Security Algorithm checks the packet
against access lists and performs other routine tasks (such as route lookup) to determine whether the
packet is allowed or denied. The session management path is responsible for performing the following:
Perform the access list checks
Perform route lookups
Allocate NAT translations (xlate table)
Establish the session in the "fast path"
Packets are further passed to the control plane path to examine the payload for application-level (Layer 7)
inspection.
Pages:
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260