stateful connections ???

Unanswered Question
Nov 30th, 2006
User Badges:

hi guys, i got some prob in ASA plz help me out,,

pc1-----------ASA----------pc2

outside inside

now see nat is disabled and i have given an accesslist to allow pc1

to ping pc2. till here it is working fine. now suppose i have issued a

continuous ping from pc1 to pc 2 it goes well but meantime from CLI i removed the access list ! but the ping is still going !!!! if i stop it n

then issue ping again it is not going as expected, but my question is

why didnt it stopped when i removed the accesslist ???

heres my own guess, because the connection was formed already in ASA

stateful table so it was allowing it to go, so is it possible that if i

changed or modify an access list it takes the action immediately ? is

there any command for that ??? becoz i m having a lot of problem in testing

time

based acls they r simply not at all working with ASA, i m using 7.0 ios

so

any help plz ???

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.kiprawih Sat, 12/02/2006 - 19:57
User Badges:
  • Gold, 750 points or more

You're right. It will still pinging because the connection table for the existing ping session is still active. It will only gone if you manually stop the ping or issue 'cle xlate' command.


Use the 'clear xlate' everytime you want to clear the connection


http://www.cisco.com/en/US/customer/products/ps6120/products_command_reference_chapter09186a008063f0de.html#wp2029296



HTH

AK

shahidrox Sun, 12/03/2006 - 03:42
User Badges:

but dont u think this is inconvenient ?? like if there are 2 outside users connected to my webserver n i want to block 1 of them so i designed an acl but if i clear xlate then both of the connections will be reset !!! is there any other way

a.kiprawih Sun, 12/03/2006 - 05:35
User Badges:
  • Gold, 750 points or more

Another way is to use "clear local-host " command.


FWALL#clear local-host 10.1.1.15


This will clear the network state of a local host stops all network connections and xlates that are associated ONLY with the local hosts.


AK

Actions

This Discussion