In general the ASA when communicating to the different networks it uses the interface connected to that network or the interface behind which that network is located.

Also the ASA doesn't really allow traffic across the box to the other side to an ASA interface (other than in very specific cases like VPN + Device management connections)

I am not sure if this is documented anywhere. It certainly isnt mentioned in the Command Reference which would be a logical place. Then again it wouldnt be the first time that very specific and potentially important informatin was left out of public documentation.

I personally just avoid using any ASA interface IP with the "packet-tracer" and to be honest you are usually testing user traffic that is naturally coming from a different source IP address anyway.

If you would like to look which ports the ASA uses to listen to services you can use the command (minimum software 8.0(2) needed)

show asp table socket

If you want to see the connections formed by the ASA and to the ASA use the command

show conn all | inc Identity

- Jouni

Hi,

Lets look at the first output

ciscoasa# show conn all | inc Identity

UDP outside 192.168.11.1:123 NP Identity Ifc 192.168.11.2:65535, idle 0:01:50, bytes 96, flags -

TCP outside 192.168.98.10:65323 NP Identity Ifc 192.168.11.2:443, idle 0:00:58, bytes 531, flags UfrOB

TCP outside 192.168.98.10:65322 NP Identity Ifc 192.168.11.2:443, idle 0:00:58, bytes 521, flags UfrOB

TCP outside 192.168.98.10:65321 NP Identity Ifc 192.168.11.2:443, idle 0:00:58, bytes 406, flags UfrOB

TCP outside 192.168.98.10:65319 NP Identity Ifc 192.168.11.2:443, idle 0:00:58, bytes 536, flags UfrOB

TCP outside 192.168.98.10:65313 NP Identity Ifc 192.168.11.2:443, idle 0:00:00, bytes 50003, flags UOB

TCP outside 192.168.98.10:65310 NP Identity Ifc 192.168.11.2:443, idle 0:00:04, bytes 34278, flags UOB

TCP outside 192.168.5.2:25844 NP Identity Ifc 192.168.11.2:22, idle 0:00:00, bytes 157719, flags UOB

UDP outside 192.168.11.1:123 NP Identity Ifc 192.168.11.2:65535, idle 0:01:50, bytes 96, flags -

The first seems to be a NTP connection. Its an UDP connection so the default timeout for UDP connection is 2min. As you can see its already been idle 1min 50 seconds so its really closed to being removed from the firewall connection table.

TCP outside 192.168.98.10:65323 NP Identity Ifc 192.168.11.2:443, idle 0:00:58, bytes 531, flags UfrOB

TCP outside 192.168.98.10:65322 NP Identity Ifc 192.168.11.2:443, idle 0:00:58, bytes 521, flags UfrOB

TCP outside 192.168.98.10:65321 NP Identity Ifc 192.168.11.2:443, idle 0:00:58, bytes 406, flags UfrOB

TCP outside 192.168.98.10:65319 NP Identity Ifc 192.168.11.2:443, idle 0:00:58, bytes 536, flags UfrOB

With the above connections it seems to me that they are TCP connections (possibly part of some TCP connections related to ASDM) Notice the end section with the TCP "flags". From these we can see that the TCP connections are already in the process of being teardown. In other words they are not in use anymore but in the process of being closed and removed from the connection table of the ASA.

The flags to look out for are

r - inside acknowledged FIN

f - inside FIN

TCP outside 192.168.98.10:65313 NP Identity Ifc 192.168.11.2:443, idle 0:00:00, bytes 50003, flags UOB

TCP outside 192.168.98.10:65310 NP Identity Ifc 192.168.11.2:443, idle 0:00:04, bytes 34278, flags UOB

TCP outside 192.168.5.2:25844 NP Identity Ifc 192.168.11.2:22, idle 0:00:00, bytes 157719, flags UOB

And as you can see with the last 3 connections, they are the same TCP connections that are left in the second output. This is because they seem to be in use still and there is no TCP flags that would indicate they are in the process of being teardown.

You can see explanation of all the different connection "flags" while  issuing the command "show conn all" and checking out the top most  portion (example output from my ASA)

ASA(config)# sh conn detail

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,

       B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,

       D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,

       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,

       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response

       k - Skinny media, M - SMTP data, m - SIP media, n - GUP

       O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,

       q - SQL*Net data, R - outside acknowledged FIN,

       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,

       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,

       V - VPN orphan, W - WAAS,

       X - inspected by service module

Here is also a good page telling the different most common connection flags you see on the ASA.

http://ccnpsecurity.blogspot.fi/2011/11/asa-flags-associated-with-tcp.html

Hope this helps

- Jouni

Also to add,

One other great command related to connections is to use the

show conn long

show conn long all

It shows a lot more information about the connections

Like

• How long the connections has been on the ASA "uptime"
• What the applied timeout value for the connection is "timeout"
• Source and Destination NAT. If IP address and the one following in "()" are the same then no nat has been done, or atleast the address hasnt been changed.

- Jouni