Cisco ASA Series Cli Configuration Manual page 152

Firewall Mode Examples
An Outside User Visits a Web Server on the DMZ
Figure 1-4
Figure 1-4
The following steps describe how data moves through the ASA (see
1.
2.
3.
4.
5.
6.
Cisco ASA Series CLI Configuration Guide
1-16
shows an outside user accessing the DMZ web server.
Outside to DMZ
A user on the outside network requests a web page from the DMZ web server using the global
destination address of 209.165.201.3, which is on the outside interface subnet.
The ASA receives the packet and untranslates the destination address to the local address 10.1.1.3.
Because it is a new session, the ASA verifies that the packet is allowed according to the terms of the
security policy (access lists, filters, AAA).
For multiple context mode, the ASA first classifies the packet to a context.
The ASA then adds a session entry to the fast path and forwards the packet from the DMZ interface.
When the DMZ web server responds to the request, the packet goes through the ASA and because
the session is already established, the packet bypasses the many lookups associated with a new
connection. The ASA performs NAT by translating the local source address to 209.165.201.3.
The ASA forwards the packet to the outside user.
Chapter 1 Configuring the Transparent or Routed Firewall
Figure 1-4):