Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA State Table

I had a question about the ASA's state table. I may be overthinking this!

When going from a higher security level to a lower security level, the ASA keeps track of the state of the connections, which you can see by 'show conn'.

However, whenever you poke holes from, say, the outside to the DMZ, I have read that is supposed to bypass the state table and just allow packets through, but when I do a 'show conn' I can see the connection in the results that have been initiated from a lower security level to a higher one. It seems like the ASA is still recording the sessions. So do those packets go into the state table of the ASA? Why would I see them linger around if they do not?

I do not have any policy maps inspecting these packets from the outside to the dmz.

Thanks!!!

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA State Table

Hi,

It shouldnt matter from where the connection is formed.

With regards to TCP Connections the ASA builds a connection as soon as it sees a TCP SYN which is also allowed through the firewall. Naturally how long the connection stays on the ASA depends on multiple factors.

For UDP the ASA builds the connection also if the traffic is allowed through the firewall. Though as the UDP connection doesnt really have a state like a TCP connection it means that the UDP connection stays in the ASAs connection table as long as its not idle for too long.

- Jouni

2 REPLIES
Super Bronze

ASA State Table

Hi,

It shouldnt matter from where the connection is formed.

With regards to TCP Connections the ASA builds a connection as soon as it sees a TCP SYN which is also allowed through the firewall. Naturally how long the connection stays on the ASA depends on multiple factors.

For UDP the ASA builds the connection also if the traffic is allowed through the firewall. Though as the UDP connection doesnt really have a state like a TCP connection it means that the UDP connection stays in the ASAs connection table as long as its not idle for too long.

- Jouni

Silver

ASA State Table

Basic information that you need to know to understand how connections work through the ASA:

ASA TCP Connection Flags (Connection build-up and teardown)

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bcad00.shtml

You need to know this to understand in the state the connection is at on the firewall:

timeout settings:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870

Understanding xlate and conn idle and timeout values through example

https://supportforums.cisco.com/docs/DOC-21948

Value our effort and rate the assistance!
5344
Views
0
Helpful
2
Replies