https://community.cisco.com/t5/network-security/connection-cache/m-p/772269#M984549 <HTML><HEAD></HEAD><BODY><P>As far as i know the way to view the present state table is to do a "sh conn" on your FWSM. This will show you all the current connections the FWSM is keeping track of and if TCP connections the TCP flags. </P><P></P><P>Edit - sorrydidn't answer the first bit. The state table is how a stateful firewall keeps track of connections. So a simple example would </P><P></P><P>client on inside telnets to a server on outside. FWSM records the client IP address, the client port number, the destination IP address, the destination port number (which will be 23 in this case) and the TCP flag which for the initial packet will be a SYN flag.</P><P></P><P>When the server responds the TCP flag will be a SYN/ACK and because the firewall has an entry in it's state table for the corresponding SYN it will allow it through. </P><P></P><P>Note that if a server on the outside sent a SYN/ACK packet but there was no corresponding SYN packet in it's state table it would drop the packet.</P><P></P><P>Jon</P></BODY></HTML> Wed, 11 Jul 2007 20:11:07 GMT Jon Marshall 2007-07-11T20:11:07Z https://community.cisco.com/t5/network-security/connection-cache/m-p/772266#M984544 <P>Most servers are blocked by the access list. If a server is allowed to bypass the access list and a connection is created. Where does the connection cached in the FWSM?</P> Mon, 11 Mar 2019 10:43:35 GMT https://community.cisco.com/t5/network-security/connection-cache/m-p/772266#M984544 nguyenvinht 2019-03-11T10:43:35Z https://community.cisco.com/t5/network-security/connection-cache/m-p/772267#M984545 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>If i understand you correctly the FWSM will keep the connection record in it's state table for as long as the connection is active. </P><P></P><P>Is there something more specific you were looking for ? </P><P></P><P>Jon</P></BODY></HTML> Wed, 11 Jul 2007 19:37:37 GMT https://community.cisco.com/t5/network-security/connection-cache/m-p/772267#M984545 Jon Marshall 2007-07-11T19:37:37Z https://community.cisco.com/t5/network-security/connection-cache/m-p/772268#M984547 <HTML><HEAD></HEAD><BODY><P>What is exactly in the state table? Is there a way I can view the state table? I have other questions after this but first I neeed to understand this step first. Thanks in advance for your reply.</P></BODY></HTML> Wed, 11 Jul 2007 20:03:35 GMT https://community.cisco.com/t5/network-security/connection-cache/m-p/772268#M984547 nguyenvinht 2007-07-11T20:03:35Z https://community.cisco.com/t5/network-security/connection-cache/m-p/772269#M984549 <HTML><HEAD></HEAD><BODY><P>As far as i know the way to view the present state table is to do a "sh conn" on your FWSM. This will show you all the current connections the FWSM is keeping track of and if TCP connections the TCP flags. </P><P></P><P>Edit - sorrydidn't answer the first bit. The state table is how a stateful firewall keeps track of connections. So a simple example would </P><P></P><P>client on inside telnets to a server on outside. FWSM records the client IP address, the client port number, the destination IP address, the destination port number (which will be 23 in this case) and the TCP flag which for the initial packet will be a SYN flag.</P><P></P><P>When the server responds the TCP flag will be a SYN/ACK and because the firewall has an entry in it's state table for the corresponding SYN it will allow it through. </P><P></P><P>Note that if a server on the outside sent a SYN/ACK packet but there was no corresponding SYN packet in it's state table it would drop the packet.</P><P></P><P>Jon</P></BODY></HTML> Wed, 11 Jul 2007 20:11:07 GMT https://community.cisco.com/t5/network-security/connection-cache/m-p/772269#M984549 Jon Marshall 2007-07-11T20:11:07Z https://community.cisco.com/t5/network-security/connection-cache/m-p/772270#M984551 <HTML><HEAD></HEAD><BODY><P>Thanks.</P><P></P><P>If there is a connection from inside server 10.10.10.1 to outside server 20.20.20.1 on port 23. The traffic is flowing. The flow is recorded in the state table. What will happen if another connection is opened from server 10.10.10.1 to another outside server 30.30.30.1 by telnet or ftp? Now what is recorded in the state table? </P><P></P><P>Will these two statements recorded in the state table?</P><P>10.10.10.1-&gt;30.30.30.1 on port 23</P><P>10.10.10.1-&gt;20.20.20.1 on port 23</P><P></P><P>If this happen, does this kill the flow from 10.10.10.1 to 20.20.20.1?</P><P></P><P>Regards,</P><P></P></BODY></HTML> Wed, 11 Jul 2007 20:44:40 GMT https://community.cisco.com/t5/network-security/connection-cache/m-p/772270#M984551 nguyenvinht 2007-07-11T20:44:40Z https://community.cisco.com/t5/network-security/connection-cache/m-p/772271#M984553 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>No it doesn't kill the flow because all the information is recorded in the state table. So in your example the destination address is different so it the 2 connections can be seen as separate int the state table. </P><P></P><P>But let's go one further</P><P></P><P>10.10.10.1 opens a telnet connection to 20.20.20.1. </P><P></P><P>10.10.10.1 open an ssh connection to 20.20.20.1.</P><P></P><P>Both these are also separate</P><P></P><P>10.10.10.1 -&gt; 20.20.20.1 23 </P><P>10.10.10.1 -&gt; 20.20.20.1 22</P><P></P><P>And one step further </P><P></P><P>10.10.10.1 opens a telnet connection to 20.20.20.1</P><P>10.10.10.1 opens another telnet connection to 20.20.20.1 </P><P></P><P>Again these are kept separate because although i haven't included them in the examples so far, the source port is also recorded so</P><P></P><P>10.10.10.1 2551 20.20.20.1 23 </P><P>10.10.10.1 2661 20.20.20.1 23 </P><P></P><P>Hope this makes sense</P><P></P><P>Jon</P></BODY></HTML> Thu, 12 Jul 2007 05:45:16 GMT https://community.cisco.com/t5/network-security/connection-cache/m-p/772271#M984553 Jon Marshall 2007-07-12T05:45:16Z