Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4051
Views
0
Helpful
2
Replies

TCP Flags and FW flags

Go to solution
mahesh18
Level 6
Level 6

‎06-04-2013 10:02 AM - edited ‎03-11-2019 06:52 PM

                   Hi everyone,

I was reading cisco documentation

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bcad00.shtml

It says for outbound connection from FW

TCP FLAG                            FW FLAG

SYN   --------------->                  saA

SYN+ACK <-----------------          A

ACK    ------------------>                U

Need to understand that TCP FLAGS are sent by PC  from inside the Network to the FW.

FW Flags are generated  by FW  ? or FW flags are sent by server  from  outside to the FW?

Thanks

Mahesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-04-2013 10:18 AM

Hi Mahesh,

The TCP flags you mention above refer to the 3 Way Handshake between a host opening a TCP connection to a server.

The flags on the ASA firewall are shown with commands "show conn" or "show conn detail" which show what the state of the TCP connection is from the ASAs perspective.

You can use the "show conn detail" to view the different flags and their meaning on the ASA CLI.

As you could see referring to the "show conn detail" output the FW Flags would mean this

  • saA = ASA has seen the "inside" host send a TCP SYN. It is still waiting for the "outside" host to send a TCP SYN and TCP ACK. It is also waiting for a TCP ACK from the "inside" host
  • A = As the ASA receives the TCP SYN, ACK from the "outside" host, it removes all but the flag that represents that its waiting the ACK from the "inside" host
  • U = When it receives the TCP ACK from the "inside" host it will finally show the flag U which means the TCP connection is up
  • UIO = When Data starts passing through this TCP connection the ASA will also add the flags I and O. These means Data in Inbound and Outbound direction.

The terms "inside" and "outside" above DONT refer to the "nameif" of an interface. They refer to the interface "security-level". The one with higher "security-level" is refered to in the ASA flags by inside and the one with lower "security-level" is referred to as the outside.

Here is also a good page online about the same subject

http://ccnpsecurity.blogspot.fi/2011/11/asa-flags-associated-with-tcp.html

Hope this helps

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-04-2013 10:18 AM

Hi Mahesh,

The TCP flags you mention above refer to the 3 Way Handshake between a host opening a TCP connection to a server.

The flags on the ASA firewall are shown with commands "show conn" or "show conn detail" which show what the state of the TCP connection is from the ASAs perspective.

You can use the "show conn detail" to view the different flags and their meaning on the ASA CLI.

As you could see referring to the "show conn detail" output the FW Flags would mean this

  • saA = ASA has seen the "inside" host send a TCP SYN. It is still waiting for the "outside" host to send a TCP SYN and TCP ACK. It is also waiting for a TCP ACK from the "inside" host
  • A = As the ASA receives the TCP SYN, ACK from the "outside" host, it removes all but the flag that represents that its waiting the ACK from the "inside" host
  • U = When it receives the TCP ACK from the "inside" host it will finally show the flag U which means the TCP connection is up
  • UIO = When Data starts passing through this TCP connection the ASA will also add the flags I and O. These means Data in Inbound and Outbound direction.

The terms "inside" and "outside" above DONT refer to the "nameif" of an interface. They refer to the interface "security-level". The one with higher "security-level" is refered to in the ASA flags by inside and the one with lower "security-level" is referred to as the outside.

Here is also a good page online about the same subject

http://ccnpsecurity.blogspot.fi/2011/11/asa-flags-associated-with-tcp.html

Hope this helps

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎06-04-2013 11:25 AM

Hi Jouni,

It was very good explanation by you and that  link.

Regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card