Re: PIX rules & return traffic...

abatson · ‎02-16-2004

Just confirming that if I allow a TCP conversation to originate on the Internal Interface, that the reply traffic will be allowed back thru the PIX, to the original sender? What CLI command enables this, or how can I tell this is true?

Now, with UDP, since it's connectionless, and there's no acknowlegement, return traffic does not exist, correct?

-alex

mostiguy · ‎02-16-2004

That is just the default nature of a pix. By default, all connections from high security to low security connections are allowing, and their return traffic is allowed back in. This is true for both tcp and udp. There is udp return traffic - most DNS requests and replies are UDP based

mike-greene · ‎02-16-2004

Hi,

By default there is no configuration changes to get the ASA working. You can check con connection state with the "show xlate command" and the "show connection" commands. Maybe this documnet will answer your questions....

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800b6f0e.html#1008066

Hope that helps.

mhoda · ‎02-16-2004

Hello Alex,

As previous post suggestion, you can execute "show xlate" to verify that the translation is getting built up. To check if the return traffic is back and if the connection is completed, you can execute "show conn" and see the connection flag "U". U stands for up, so in case of TCP if 3-way handshake is established if the connection is established, you should see the flag U. Here is the flags of connection originating from inside -

Inside: Outside Flags

----------------------------------

SYN --> saA

<-- SYN + ACK A

ACK --> U

<-- Data UI

Data --> UIO

FIN --> Uf

<-- FIN + ACK UfFR

ACK --> UfFRr

Thanks,

Mynul