cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3589
Views
0
Helpful
2
Replies

TCP Flags and FW flags

mahesh18
Level 6
Level 6

                   Hi everyone,

I was reading cisco documentation

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bcad00.shtml

It says for outbound connection from FW

TCP FLAG                            FW FLAG

SYN   --------------->                  saA

SYN+ACK <-----------------          A

ACK    ------------------>                U

Need to understand that TCP FLAGS are sent by PC  from inside the Network to the FW.

FW Flags are generated  by FW  ? or FW flags are sent by server  from  outside to the FW?

Thanks

Mahesh

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi Mahesh,

The TCP flags you mention above refer to the 3 Way Handshake between a host opening a TCP connection to a server.

The flags on the ASA firewall are shown with commands "show conn" or "show conn detail" which show what the state of the TCP connection is from the ASAs perspective.

You can use the "show conn detail" to view the different flags and their meaning on the ASA CLI.

As you could see referring to the "show conn detail" output the FW Flags would mean this

  • saA = ASA has seen the "inside" host send a TCP SYN. It is still waiting for the "outside" host to send a TCP SYN and TCP ACK. It is also waiting for a TCP ACK from the "inside" host
  • A = As the ASA receives the TCP SYN, ACK from the "outside" host, it removes all but the flag that represents that its waiting the ACK from the "inside" host
  • U = When it receives the TCP ACK from the "inside" host it will finally show the flag U which means the TCP connection is up
  • UIO = When Data starts passing through this TCP connection the ASA will also add the flags I and O. These means Data in Inbound and Outbound direction.

The terms "inside" and "outside" above DONT refer to the "nameif" of an interface. They refer to the interface "security-level". The one with higher "security-level" is refered to in the ASA flags by inside and the one with lower "security-level" is referred to as the outside.

Here is also a good page online about the same subject

http://ccnpsecurity.blogspot.fi/2011/11/asa-flags-associated-with-tcp.html

Hope this helps

- Jouni

View solution in original post

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi Mahesh,

The TCP flags you mention above refer to the 3 Way Handshake between a host opening a TCP connection to a server.

The flags on the ASA firewall are shown with commands "show conn" or "show conn detail" which show what the state of the TCP connection is from the ASAs perspective.

You can use the "show conn detail" to view the different flags and their meaning on the ASA CLI.

As you could see referring to the "show conn detail" output the FW Flags would mean this

  • saA = ASA has seen the "inside" host send a TCP SYN. It is still waiting for the "outside" host to send a TCP SYN and TCP ACK. It is also waiting for a TCP ACK from the "inside" host
  • A = As the ASA receives the TCP SYN, ACK from the "outside" host, it removes all but the flag that represents that its waiting the ACK from the "inside" host
  • U = When it receives the TCP ACK from the "inside" host it will finally show the flag U which means the TCP connection is up
  • UIO = When Data starts passing through this TCP connection the ASA will also add the flags I and O. These means Data in Inbound and Outbound direction.

The terms "inside" and "outside" above DONT refer to the "nameif" of an interface. They refer to the interface "security-level". The one with higher "security-level" is refered to in the ASA flags by inside and the one with lower "security-level" is referred to as the outside.

Here is also a good page online about the same subject

http://ccnpsecurity.blogspot.fi/2011/11/asa-flags-associated-with-tcp.html

Hope this helps

- Jouni

Hi Jouni,

It was very good explanation by you and that  link.

Regards

Mahesh

Review Cisco Networking for a $25 gift card