- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2013 10:02 AM - edited 03-11-2019 06:52 PM
Hi everyone,
I was reading cisco documentation
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bcad00.shtml
It says for outbound connection from FW
TCP FLAG FW FLAG
SYN ---------------> saA
SYN+ACK <----------------- A
ACK ------------------> U
Need to understand that TCP FLAGS are sent by PC from inside the Network to the FW.
FW Flags are generated by FW ? or FW flags are sent by server from outside to the FW?
Thanks
Mahesh
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2013 10:18 AM
Hi Mahesh,
The TCP flags you mention above refer to the 3 Way Handshake between a host opening a TCP connection to a server.
The flags on the ASA firewall are shown with commands "show conn" or "show conn detail" which show what the state of the TCP connection is from the ASAs perspective.
You can use the "show conn detail" to view the different flags and their meaning on the ASA CLI.
As you could see referring to the "show conn detail" output the FW Flags would mean this
- saA = ASA has seen the "inside" host send a TCP SYN. It is still waiting for the "outside" host to send a TCP SYN and TCP ACK. It is also waiting for a TCP ACK from the "inside" host
- A = As the ASA receives the TCP SYN, ACK from the "outside" host, it removes all but the flag that represents that its waiting the ACK from the "inside" host
- U = When it receives the TCP ACK from the "inside" host it will finally show the flag U which means the TCP connection is up
- UIO = When Data starts passing through this TCP connection the ASA will also add the flags I and O. These means Data in Inbound and Outbound direction.
The terms "inside" and "outside" above DONT refer to the "nameif" of an interface. They refer to the interface "security-level". The one with higher "security-level" is refered to in the ASA flags by inside and the one with lower "security-level" is referred to as the outside.
Here is also a good page online about the same subject
http://ccnpsecurity.blogspot.fi/2011/11/asa-flags-associated-with-tcp.html
Hope this helps
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2013 10:18 AM
Hi Mahesh,
The TCP flags you mention above refer to the 3 Way Handshake between a host opening a TCP connection to a server.
The flags on the ASA firewall are shown with commands "show conn" or "show conn detail" which show what the state of the TCP connection is from the ASAs perspective.
You can use the "show conn detail" to view the different flags and their meaning on the ASA CLI.
As you could see referring to the "show conn detail" output the FW Flags would mean this
- saA = ASA has seen the "inside" host send a TCP SYN. It is still waiting for the "outside" host to send a TCP SYN and TCP ACK. It is also waiting for a TCP ACK from the "inside" host
- A = As the ASA receives the TCP SYN, ACK from the "outside" host, it removes all but the flag that represents that its waiting the ACK from the "inside" host
- U = When it receives the TCP ACK from the "inside" host it will finally show the flag U which means the TCP connection is up
- UIO = When Data starts passing through this TCP connection the ASA will also add the flags I and O. These means Data in Inbound and Outbound direction.
The terms "inside" and "outside" above DONT refer to the "nameif" of an interface. They refer to the interface "security-level". The one with higher "security-level" is refered to in the ASA flags by inside and the one with lower "security-level" is referred to as the outside.
Here is also a good page online about the same subject
http://ccnpsecurity.blogspot.fi/2011/11/asa-flags-associated-with-tcp.html
Hope this helps
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2013 11:25 AM
Hi Jouni,
It was very good explanation by you and that link.
Regards
Mahesh
