cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5659
Views
0
Helpful
1
Replies

How the "show conn" output must be read?

AndreaQuerci
Level 1
Level 1

I want to see the sessions table from a PIX with Software Version 8.0(4). following one session seen using the "show conn" command (the IP addresses have been changed for security reasons):

 

134 in use, 3212 most used
TCP outside s10.102.128.89:8080 inside 10.109.43.12:20164, idle 0:00:03, bytes 2023, flags UfFrRIO

 

in this case who is the source IP of the comunication? the 10.102.128.89 or 10.109.43.12? from my side I think that the 10.120.128.89 is the starter of the comunication, but it's strange for me seeing a source port 8080 and a destination port 2023. what do you think guys? it's just to be sure ahah..

1 Reply 1

Ajay Saini
Level 7
Level 7

Hello,

 

Please follow the document for clarity:

 

https://community.cisco.com/t5/security-documents/asa-connection-flags-docx/ta-p/3109814?attachment-id=90161

 

This connection was initiated from inside to outside. For out to in connections, the flag B is used. The details are in the link attached.

 

Also, one way of identifying a tcp connection is to see the source and destination ports. Well known ports are usually destination ports, hence this connection would have been initiated from host 10.109.43.12 source port 20164 to destination 10.102.128.89 on port tcp 8080. 

Source ports are generally ephemeral ports.(higher than 1023).

 

HTH
AJ

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: