SlideShare uma empresa Scribd logo

Asa packet-flow-00

V
vinaydewangan11
1 de 4
Baixar para ler offline
Packet Flow through Cisco ASA Firewall Document ID: 113396 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Cisco ASA Packet Process Algorithm Explanation on NAT Show Commands Syslog Messages Related Information Introduction This document describes the packet flow through a Cisco ASA firewall. It shows how the internal packet processing procedure of the Cisco ASA works. It also discusses the different possibilities where the packet could be dropped and different situations where the packet progresses ahead. Prerequisites Requirements Cisco recommends that you have knowledge of these topics: • Cisco ASA 5500 Series Adaptive Security Appliances Components Used The information in this document is based on these software and hardware versions: • Cisco ASA 5500 series Adaptive Security Appliances running software version 8.0 and later Conventions Refer to Cisco Technical Tips Conventions for more information on document conventions. Background Information The interface that receives the packet is called the ingress interface and the interface through which the packet exits is called the egress interface. When referring to the packet flow through any device, it can be easily simplified by looking at the task in terms of these two interfaces. Here is a sample scenario:
When an inside user (192.168.10.5) attempts to access a web server in the DMZ network (172.16.10.5), the packet flow looks like this: • Source address − 192.168.10.5 • Source port − 22966 • Destination address − 172.16.10.5 • Destination port − 8080 • Ingress interface − Inside • Egress interface − DMZ • Protocol used − TCP By determining the details of the packet flow as described here, it is easy to isolate the issue to this specific connection entry. Cisco ASA Packet Process Algorithm Here is a diagram of how the Cisco ASA processes the packet that it receives: Here are the individual steps in detail: 1. Packet is reached at the ingress interface. 2. Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one. 3. Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access−control list (ACL) check is bypassed, and the packet is moved forward. If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged. 4. The packet is processed as per the interface ACLs. It is verified in sequential order of the ACL entries and if it matches any of the ACL entries, it moves forward. Otherwise, the packet is dropped and the information is logged. The ACL hit count will be incremented by one when the packet matches the ACL entry.
5. The packet is verified for the translation rules. If a packet passes through this check, then a connection entry is created for this flow, and the packet moves forward. Otherwise, the packet is dropped and the information is logged. 6. The packet is subjected to an Inspection Check. This inspection verifies whether or not this specific packet flow is in compliance with the protocol. Cisco ASA has a built−in inspection engine that inspects each connection as per its pre−defined set of application−level functionalities. If it passed the inspection, it is moved forward. Otherwise, the packet is dropped and the information is logged. Additional Security−Checks will be implemented if a CSC module is involved. 7. The IP header information is translated as per the NAT/PAT rule and checksums are updated accordingly. The packet is forwarded to AIP−SSM for IPS related security checks, when the AIP module is involved. 8. The packet is forwarded to the egress interface based on the translation rules. If no egress interface is specified in the translation rule, then the destination interface is decided based on global route lookup. 9. On the egress interface, the interface route lookup is performed. Remember, the egress interface is determined by the translation rule that will take the priority. 10. Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. Layer 2 rewrite of MAC header happens at this stage. 11. The packet is transmitted on wire, and Interface counters increment on the egress interface. Explanation on NAT Refer to these documents for more details on the order of NAT operation: • Cisco ASA Software versions prior to 8.2 • Cisco ASA Software versions after 8.3 Show Commands Here are some useful commands that help in tracking the packet flow details at different stages of processing: • Show interface • Show conn • Show access−list • Show xlate • Show service−policy inspect • Show run static • Show run nat • Show run global • Show run global • Show nat • Show route • Show arp Syslog Messages Syslog messages provide useful information about packet processing. Here are some example syslog messages for your reference: • Syslog message when there is no connection entry: %ASA−6−106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name
• Syslog message when the packet is denied by an access−list: %ASA−4−106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port by access_group acl_ID • Syslog message when there is no translation rule is found: %ASA−3−305005: No translation group found for protocol src interface_name: source_address/source_port dst interface_name: dest_address/dest_port • Syslog message when a packet is denied by Security Inspection: %ASA−4−405104: H225 message received from outside_address/outside_port to inside_address/inside_port before SETUP • Syslog message when there is no route information: %ASA−6−110003: Routing failed to locate next−hop for protocol from src interface:src IP/src port to dest interface:dest IP/dest port For a complete list of all syslog messages generated by Cisco ASA along with a brief explanation, refer to the Cisco ASA log messages guide. Related Information • Cisco ASA Support Page • Cisco ASA 5500 Series Command Reference, 8.2 • Cisco ASA 5500 Series Configuration Guide, 8.3 • Technical Support & Documentation − Cisco Systems Contacts & Feedback | Help | Site Map © 2011 − 2012 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of Cisco Systems, Inc. Updated: Jan 19, 2012 Document ID: 113396

Recomendados

MPLS VPN
MPLS VPNMPLS VPN
MPLS VPN
Shahzaib Mahesar
 
GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)
Netwax Lab
 
MPLS L3 VPN Deployment
MPLS L3 VPN DeploymentMPLS L3 VPN Deployment
MPLS L3 VPN Deployment
APNIC
 
Border Gateway Protocol
Border Gateway ProtocolBorder Gateway Protocol
Border Gateway Protocol
Kashif Latif
 
VLAN Trunking Protocol
VLAN Trunking ProtocolVLAN Trunking Protocol
VLAN Trunking Protocol
Netwax Lab
 
Spanning tree protocol (stp)
Spanning tree protocol (stp)Spanning tree protocol (stp)
Spanning tree protocol (stp)
RaghulR21
 
Cisco asa active,active failover configuration
Cisco asa active,active failover configurationCisco asa active,active failover configuration
Cisco asa active,active failover configuration
IT Tech
 
VTP
VTPVTP
VTP
Haidar-Mohammed
 

Recomendados

MPLS VPN
MPLS VPNMPLS VPN
MPLS VPN
Shahzaib Mahesar
 
GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)
Netwax Lab
 
MPLS L3 VPN Deployment
MPLS L3 VPN DeploymentMPLS L3 VPN Deployment
MPLS L3 VPN Deployment
APNIC
 
Border Gateway Protocol
Border Gateway ProtocolBorder Gateway Protocol
Border Gateway Protocol
Kashif Latif
 
VLAN Trunking Protocol
VLAN Trunking ProtocolVLAN Trunking Protocol
VLAN Trunking Protocol
Netwax Lab
 
Spanning tree protocol (stp)
Spanning tree protocol (stp)Spanning tree protocol (stp)
Spanning tree protocol (stp)
RaghulR21
 
Cisco asa active,active failover configuration
Cisco asa active,active failover configurationCisco asa active,active failover configuration
Cisco asa active,active failover configuration
IT Tech
 
VTP
VTPVTP
VTP
Haidar-Mohammed
 
Segment Routing: A Tutorial
Segment Routing: A TutorialSegment Routing: A Tutorial
Segment Routing: A Tutorial
APNIC
 
Mpls technology
Mpls technologyMpls technology
Mpls technology
Naveen Sihag
 
Virtual Extensible LAN (VXLAN)
Virtual Extensible LAN (VXLAN)Virtual Extensible LAN (VXLAN)
Virtual Extensible LAN (VXLAN)
KHNOG
 
Bgp
BgpBgp
Bgp
Febrian ‎
 
VRRP (virtual router redundancy protocol)
VRRP (virtual router redundancy protocol)VRRP (virtual router redundancy protocol)
VRRP (virtual router redundancy protocol)
Netwax Lab
 
Hot standby router protocol (hsrp) using
Hot standby router protocol (hsrp) usingHot standby router protocol (hsrp) using
Hot standby router protocol (hsrp) using
ShubhiGupta94
 
CCNP ROUTE V7 CH6
CCNP ROUTE V7 CH6CCNP ROUTE V7 CH6
CCNP ROUTE V7 CH6
Chaing Ravuth
 
How BGP Works
How BGP WorksHow BGP Works
How BGP Works
ThousandEyes
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
Muuluu
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
Edgardo Scrimaglia
 
Bgp protocol
Bgp protocolBgp protocol
Bgp protocol
Smriti Tikoo
 
Routing
RoutingRouting
Routing
Saima Azam
 
MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)
Vipin Sahu
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 final
KwonSun Bae
 
Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)
welcometofacebook
 
Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44
Jisc
 
MPLS
MPLSMPLS
MPLS
Elyes Naouar
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
APNIC
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorial
kriz5
 
Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD) Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD)
KHNOG
 
Cheatsheet: Metasploit
Cheatsheet: MetasploitCheatsheet: Metasploit
Cheatsheet: Metasploit
Kasper de Waard
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
Cisco Russia
 

Mais conteúdo relacionado

Mais procurados

VRRP (virtual router redundancy protocol)
VRRP (virtual router redundancy protocol)VRRP (virtual router redundancy protocol)
VRRP (virtual router redundancy protocol)
Netwax Lab
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
Muuluu
 
Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)
welcometofacebook
 

Mais procurados (20)

Segment Routing: A Tutorial
Segment Routing: A TutorialSegment Routing: A Tutorial
Segment Routing: A Tutorial
 
Mpls technology
Mpls technologyMpls technology
Mpls technology
 
Virtual Extensible LAN (VXLAN)
Virtual Extensible LAN (VXLAN)Virtual Extensible LAN (VXLAN)
Virtual Extensible LAN (VXLAN)
 
Bgp
BgpBgp
Bgp
 
VRRP (virtual router redundancy protocol)
VRRP (virtual router redundancy protocol)VRRP (virtual router redundancy protocol)
VRRP (virtual router redundancy protocol)
 
Hot standby router protocol (hsrp) using
Hot standby router protocol (hsrp) usingHot standby router protocol (hsrp) using
Hot standby router protocol (hsrp) using
 
CCNP ROUTE V7 CH6
CCNP ROUTE V7 CH6CCNP ROUTE V7 CH6
CCNP ROUTE V7 CH6
 
How BGP Works
How BGP WorksHow BGP Works
How BGP Works
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
 
Bgp protocol
Bgp protocolBgp protocol
Bgp protocol
 
Routing
RoutingRouting
Routing
 
MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)MPLS (Multi-Protocol Label Switching)
MPLS (Multi-Protocol Label Switching)
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 final
 
Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)
 
Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44
 
MPLS
MPLSMPLS
MPLS
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorial
 
Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD) Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD)
 

Destaque

Destaque (7)

Cheatsheet: Metasploit
Cheatsheet: MetasploitCheatsheet: Metasploit
Cheatsheet: Metasploit
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
 
IPSec VPN
IPSec VPNIPSec VPN
IPSec VPN
 
IPSec_VPN_Final_
IPSec_VPN_Final_IPSec_VPN_Final_
IPSec_VPN_Final_
 
Simple IPv4_Subnetting
Simple IPv4_SubnettingSimple IPv4_Subnetting
Simple IPv4_Subnetting
 
I pv4 subnetting
I pv4 subnettingI pv4 subnetting
I pv4 subnetting
 
NAT in ASA Firewall
NAT in ASA Firewall NAT in ASA Firewall
NAT in ASA Firewall
 

Semelhante a Asa packet-flow-00

Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Frank Brockners
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)
Cisco Security
 
iptable casestudy by sans.pdf
iptable casestudy by sans.pdfiptable casestudy by sans.pdf
iptable casestudy by sans.pdf
Admin621695
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
EC-Council
 

Semelhante a Asa packet-flow-00 (20)

Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
 
ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & Answers
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAM
 
How to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routersHow to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routers
 
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian PasternackiPLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
 
5 ip security ipsec gre
5 ip security ipsec gre5 ip security ipsec gre
5 ip security ipsec gre
 
F5 tcpdump
F5 tcpdumpF5 tcpdump
F5 tcpdump
 
5 ip security dataplace security
5 ip security dataplace security5 ip security dataplace security
5 ip security dataplace security
 
Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214
 
6 weeks/months project training from CMC Faridabad - Ppt of ccna project from...
6 weeks/months project training from CMC Faridabad - Ppt of ccna project from...6 weeks/months project training from CMC Faridabad - Ppt of ccna project from...
6 weeks/months project training from CMC Faridabad - Ppt of ccna project from...
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
 
As rbook
As rbookAs rbook
As rbook
 
CCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptxCCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptx
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
 
CCNA 2
CCNA 2 CCNA 2
CCNA 2
 
iptable casestudy by sans.pdf
iptable casestudy by sans.pdfiptable casestudy by sans.pdf
iptable casestudy by sans.pdf
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
 
Conns connlimits
Conns connlimitsConns connlimits
Conns connlimits
 
Ccna rse chp7 Access Control List (ACL)
Ccna rse chp7 Access Control List (ACL)Ccna rse chp7 Access Control List (ACL)
Ccna rse chp7 Access Control List (ACL)
 

Asa packet-flow-00

  • 1. Packet Flow through Cisco ASA Firewall Document ID: 113396 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Cisco ASA Packet Process Algorithm Explanation on NAT Show Commands Syslog Messages Related Information Introduction This document describes the packet flow through a Cisco ASA firewall. It shows how the internal packet processing procedure of the Cisco ASA works. It also discusses the different possibilities where the packet could be dropped and different situations where the packet progresses ahead. Prerequisites Requirements Cisco recommends that you have knowledge of these topics: • Cisco ASA 5500 Series Adaptive Security Appliances Components Used The information in this document is based on these software and hardware versions: • Cisco ASA 5500 series Adaptive Security Appliances running software version 8.0 and later Conventions Refer to Cisco Technical Tips Conventions for more information on document conventions. Background Information The interface that receives the packet is called the ingress interface and the interface through which the packet exits is called the egress interface. When referring to the packet flow through any device, it can be easily simplified by looking at the task in terms of these two interfaces. Here is a sample scenario:
  • 2. When an inside user (192.168.10.5) attempts to access a web server in the DMZ network (172.16.10.5), the packet flow looks like this: • Source address − 192.168.10.5 • Source port − 22966 • Destination address − 172.16.10.5 • Destination port − 8080 • Ingress interface − Inside • Egress interface − DMZ • Protocol used − TCP By determining the details of the packet flow as described here, it is easy to isolate the issue to this specific connection entry. Cisco ASA Packet Process Algorithm Here is a diagram of how the Cisco ASA processes the packet that it receives: Here are the individual steps in detail: 1. Packet is reached at the ingress interface. 2. Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one. 3. Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access−control list (ACL) check is bypassed, and the packet is moved forward. If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged. 4. The packet is processed as per the interface ACLs. It is verified in sequential order of the ACL entries and if it matches any of the ACL entries, it moves forward. Otherwise, the packet is dropped and the information is logged. The ACL hit count will be incremented by one when the packet matches the ACL entry.
  • 3. 5. The packet is verified for the translation rules. If a packet passes through this check, then a connection entry is created for this flow, and the packet moves forward. Otherwise, the packet is dropped and the information is logged. 6. The packet is subjected to an Inspection Check. This inspection verifies whether or not this specific packet flow is in compliance with the protocol. Cisco ASA has a built−in inspection engine that inspects each connection as per its pre−defined set of application−level functionalities. If it passed the inspection, it is moved forward. Otherwise, the packet is dropped and the information is logged. Additional Security−Checks will be implemented if a CSC module is involved. 7. The IP header information is translated as per the NAT/PAT rule and checksums are updated accordingly. The packet is forwarded to AIP−SSM for IPS related security checks, when the AIP module is involved. 8. The packet is forwarded to the egress interface based on the translation rules. If no egress interface is specified in the translation rule, then the destination interface is decided based on global route lookup. 9. On the egress interface, the interface route lookup is performed. Remember, the egress interface is determined by the translation rule that will take the priority. 10. Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. Layer 2 rewrite of MAC header happens at this stage. 11. The packet is transmitted on wire, and Interface counters increment on the egress interface. Explanation on NAT Refer to these documents for more details on the order of NAT operation: • Cisco ASA Software versions prior to 8.2 • Cisco ASA Software versions after 8.3 Show Commands Here are some useful commands that help in tracking the packet flow details at different stages of processing: • Show interface • Show conn • Show access−list • Show xlate • Show service−policy inspect • Show run static • Show run nat • Show run global • Show run global • Show nat • Show route • Show arp Syslog Messages Syslog messages provide useful information about packet processing. Here are some example syslog messages for your reference: • Syslog message when there is no connection entry: %ASA−6−106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name
  • 4. • Syslog message when the packet is denied by an access−list: %ASA−4−106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port by access_group acl_ID • Syslog message when there is no translation rule is found: %ASA−3−305005: No translation group found for protocol src interface_name: source_address/source_port dst interface_name: dest_address/dest_port • Syslog message when a packet is denied by Security Inspection: %ASA−4−405104: H225 message received from outside_address/outside_port to inside_address/inside_port before SETUP • Syslog message when there is no route information: %ASA−6−110003: Routing failed to locate next−hop for protocol from src interface:src IP/src port to dest interface:dest IP/dest port For a complete list of all syslog messages generated by Cisco ASA along with a brief explanation, refer to the Cisco ASA log messages guide. Related Information • Cisco ASA Support Page • Cisco ASA 5500 Series Command Reference, 8.2 • Cisco ASA 5500 Series Configuration Guide, 8.3 • Technical Support & Documentation − Cisco Systems Contacts & Feedback | Help | Site Map © 2011 − 2012 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of Cisco Systems, Inc. Updated: Jan 19, 2012 Document ID: 113396