Sorry I just re-read your email.
A says inbound connection (Which means originated from outside) B says outbound connection (which means it originated from inside) So my interpretation of those phrases means 2 is A and 1 is B. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Garrett Skjelstad [mailto:[email protected]] Sent: Thursday, June 03, 2010 2:23 PM To: Tyson Scott Cc: Kingsley Charles; [email protected] Subject: Re: [OSL | CCIE_Security] Flags - sh conn - ASA With the inital syn from outside being only in B, would that mean that 2 is B, and 1 is A? On Thu, Jun 3, 2010 at 11:09 AM, Tyson Scott <[email protected]> wrote: Kings, Well it is a tough question for sure. The pictures are depicting a TCP flow. from SYN to FIN. The flags are data giving you detail as to the state of the connection at the time you use the command "show conn" or "show conn detail" So for the SYN packet we have saA and saAB which are s = awaiting outside SYN a = awaiting inside ACK to SYN A = awaiting outside ACK to SYN B = initial SYN from outside So the only difference from outside to inside and inside to outside is the B flag for "initial SYN from outside" It then gets easier with the SYN+ACK A and aB Which we have already described what each is above. And so on and So forth So for you below you have the UIO which signifies it is Up Inbound Data and Outbound Data. Meaning the connection is established and data is traversing both ways. It would be very difficult to get the other flags unless you just happened to catch it at the right time. Here I did the same test on our production firewall and it was difficult for me to get an initial SYN request. firewall# show conn | incl saA firewall# show conn | incl saA firewall# show conn | incl saA firewall# show conn | incl saA firewall# show conn | incl saA TCP outside 74.125.95.96:80 inside 10.2.24.121:63283, idle 0:00:00, bytes 0, flags saA firewall# But here are some more examples of the others as well. TCP outside 92.233.98.59:50961 inside 209.124.41.100:443, idle 0:00:02, bytes 2795, flags UIOB TCP outside 92.233.98.59:50887 inside 209.124.41.100:443, idle 0:05:06, bytes 3054, flags UfIOB TCP outside 92.233.98.59:50856 inside 209.124.41.100:443, idle 0:07:37, bytes 3054, flags UfIOB TCP outside 92.233.98.59:50841 inside 209.124.41.100:443, idle 0:08:57, bytes 3054, flags UfFRIOB Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Thursday, June 03, 2010 9:06 AM To: [email protected] Subject: [OSL | CCIE_Security] Flags - sh conn - ASA Hi Flash card - IPS module - 25th question. There is screenshot of sh conn flags and it asks to map which is inbound and outbound. Can someone explain that screenshot. I am not able to get that king of O/P with sh conn options. This is what I get in my ASA. ciscoasa(config)# sh conn detail 1 in use, 2 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media, D - DNS, d - dump, E - outside back connection, F - outside FIN, f - insi de FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete, J - GTP, j - GTP data, K - GTP t3-response k - Skinny media, M - SMTP data, m - SIP media, n - GUP O - outbound data, P - inside back connection, p - Phone-proxy TFTP conne ction, q - SQL*Net data, R - outside acknowledged FIN, R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN, s - awaiting outside SYN, T - SIP, t - SIP transient, U - up, V - VPN orphan, W - WAAS, X - inspected by service module TCP outside:10.20.30.40/23 inside:10.20.30.42/20257, flags UIO, idle 13m35s, uptime 13m42s, timeout 1h0m, bytes 158 With regards Kings No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2914 - Release Date: 06/03/10 02:25:00 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2914 - Release Date: 06/03/10 02:25:00 _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
