https://community.cisco.com/t5/network-security/pix-rules-return-traffic/m-p/281085#M594551 <P>Just confirming that if I allow a TCP conversation to originate on the Internal Interface, that the reply traffic will be allowed back thru the PIX, to the original sender? What CLI command enables this, or how can I tell this is true?</P><P></P><P>Now, with UDP, since it's connectionless, and there's no acknowlegement, return traffic does not exist, correct?</P><P></P><P>-alex</P> Fri, 21 Feb 2020 07:14:39 GMT abatson 2020-02-21T07:14:39Z https://community.cisco.com/t5/network-security/pix-rules-return-traffic/m-p/281085#M594551 <P>Just confirming that if I allow a TCP conversation to originate on the Internal Interface, that the reply traffic will be allowed back thru the PIX, to the original sender? What CLI command enables this, or how can I tell this is true?</P><P></P><P>Now, with UDP, since it's connectionless, and there's no acknowlegement, return traffic does not exist, correct?</P><P></P><P>-alex</P> Fri, 21 Feb 2020 07:14:39 GMT https://community.cisco.com/t5/network-security/pix-rules-return-traffic/m-p/281085#M594551 abatson 2020-02-21T07:14:39Z https://community.cisco.com/t5/network-security/pix-rules-return-traffic/m-p/281086#M594554 <HTML><HEAD></HEAD><BODY><P>That is just the default nature of a pix. By default, all connections from high security to low security connections are allowing, and their return traffic is allowed back in. This is true for both tcp and udp. There is udp return traffic - most DNS requests and replies are UDP based</P></BODY></HTML> Mon, 16 Feb 2004 15:11:19 GMT https://community.cisco.com/t5/network-security/pix-rules-return-traffic/m-p/281086#M594554 mostiguy 2004-02-16T15:11:19Z https://community.cisco.com/t5/network-security/pix-rules-return-traffic/m-p/281087#M594557 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>By default there is no configuration changes to get the ASA working. You can check con connection state with the "show xlate command" and the "show connection" commands. Maybe this documnet will answer your questions....</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800b6f0e.html#1008066" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800b6f0e.html#1008066</A></P><P></P><P>Hope that helps.</P><P></P></BODY></HTML> Mon, 16 Feb 2004 15:14:03 GMT https://community.cisco.com/t5/network-security/pix-rules-return-traffic/m-p/281087#M594557 mike-greene 2004-02-16T15:14:03Z https://community.cisco.com/t5/network-security/pix-rules-return-traffic/m-p/281088#M594558 <HTML><HEAD></HEAD><BODY><P>Hello Alex,</P><P></P><P>As previous post suggestion, you can execute "show xlate" to verify that the translation is getting built up. To check if the return traffic is back and if the connection is completed, you can execute "show conn" and see the connection flag "U". U stands for up, so in case of TCP if 3-way handshake is established if the connection is established, you should see the flag U. Here is the flags of connection originating from inside -</P><P></P><P>Inside: Outside Flags </P><P>---------------------------------- </P><P> SYN --&gt; saA </P><P> &lt;-- SYN + ACK A </P><P> ACK --&gt; U </P><P> &lt;-- Data UI </P><P> Data --&gt; UIO </P><P> FIN --&gt; Uf </P><P> &lt;-- FIN + ACK UfFR </P><P> ACK --&gt; UfFRr </P><P></P><P>Thanks,</P><P></P><P>Mynul</P></BODY></HTML> Mon, 16 Feb 2004 17:17:45 GMT https://community.cisco.com/t5/network-security/pix-rules-return-traffic/m-p/281088#M594558 mhoda 2004-02-16T17:17:45Z