02-16-2004 05:44 AM - edited 02-20-2020 11:14 PM
Just confirming that if I allow a TCP conversation to originate on the Internal Interface, that the reply traffic will be allowed back thru the PIX, to the original sender? What CLI command enables this, or how can I tell this is true?
Now, with UDP, since it's connectionless, and there's no acknowlegement, return traffic does not exist, correct?
-alex
02-16-2004 07:11 AM
That is just the default nature of a pix. By default, all connections from high security to low security connections are allowing, and their return traffic is allowed back in. This is true for both tcp and udp. There is udp return traffic - most DNS requests and replies are UDP based
02-16-2004 07:14 AM
Hi,
By default there is no configuration changes to get the ASA working. You can check con connection state with the "show xlate command" and the "show connection" commands. Maybe this documnet will answer your questions....
Hope that helps.
02-16-2004 09:17 AM
Hello Alex,
As previous post suggestion, you can execute "show xlate" to verify that the translation is getting built up. To check if the return traffic is back and if the connection is completed, you can execute "show conn" and see the connection flag "U". U stands for up, so in case of TCP if 3-way handshake is established if the connection is established, you should see the flag U. Here is the flags of connection originating from inside -
Inside: Outside Flags
----------------------------------
SYN --> saA
<-- SYN + ACK A
ACK --> U
<-- Data UI
Data --> UIO
FIN --> Uf
<-- FIN + ACK UfFR
ACK --> UfFRr
Thanks,
Mynul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide