Cisco Systems and the ASA Services Module Manual De Usuario

In 

, operations are numbered in the order they occur, and are described as follows:

A TCP SYN packet arrives at the ASA to establish a new connection.

The ASA checks the ACL database to determine if the connection is permitted.

The ASA creates a new entry in the connection database (XLATE and CONN tables).

The ASA checks the Inspections database to determine if the connection requires application-level 
inspection.

After the application inspection engine completes any required operations for the packet, the ASA 
forwards the packet to the destination system.

The destination system responds to the initial request.

The ASA receives the reply packet, looks up the connection in the connection database, and 
forwards the packet because it belongs to an established session.

The default configuration of the ASA includes a set of application inspection entries that associate 
supported protocols with specific TCP or UDP port numbers and that identify any special handling 
required.

When a user establishes a connection, the ASA checks the packet against ACLs, creates an address 
translation, and creates an entry for the session in the fast path, so that further packets can bypass 
time-consuming checks. However, the fast path relies on predictable port numbers and does not perform 
address translations inside a packet.

Many protocols open secondary TCP or UDP ports. The initial session on a well-known port is used to 
negotiate dynamically assigned port numbers.

Other applications embed an IP address in the packet that needs to match the source address that is 
normally translated when it goes through the ASA.

If you use applications like these, then you need to enable application inspection.

1

3

2

8

75

Client

ACL

XLATE

CONN

Inspection

Server

ASA