Which of the following lines of output from the show conn command best represents the state of the connection in this scenario? (Select the best answer.)

Last Updated on August 3, 2021 by Admin 3

An inside host has initiated a TCP connection through a Cisco ASA to an outside server. The outside server has responded with a SYN/ACK segment? however, the inside host has not yet responded with an ACK segment.

Which of the following lines of output from the show conn command best represents the state of the connection in this scenario? (Select the best answer.)

  • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB
  • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags saA
  • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB
  • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A
  • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U
  • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIO
Explanation:
The following line of output from the show conn command on a Cisco Adaptive Security Appliance (ASA) best represents the state of a connection that is waiting on only the ACK segment from an inside host:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A

The output of the show conn command uses connection flags to indicate the status of each entry in the ASA connection database. The connection database is used by the stateful firewall feature of the ASA to track the state of each network connection that passes through it. The flags that an ASA uses to track a connection entry are dependent on the interface that initiated the connection. Typically, each connection entry has corresponding inside and outside interfaces. In terms of the connection database, the inside interface for the entry is the interface with the higher security level, whereas the outside interface for the entry is the interface with the lower security level. In addition, a data flow from the inside interface to the outside interface is considered to be moving in the outbound direction and a data flow from the outside interface to the inside interface is considered to be moving in the inbound direction.
When an ASA receives the first packet from a Transmission Control Protocol (TCP) connection, it creates an entry in the connection database. The ASA immediately adds the B flag to the entry if the connection was initiated from the outside. The ASA then uses various flags to indicate the progress of the TCP threeway handshake. For example, if a connection is initiated from the inside, the ASA will add the saA flags to the entry, as shown in the following command output:TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags saA
The s flag indicates that the ASA is awaiting a SYN segment from the outside host, and the a flag indicates that the ASA is waiting for an ACK response segment to the SYN that was initiated from the inside host. When the corresponding SYN/ACK segment is received from the outside host, it will satisfy both of these flags and the ASA will clear the flags from the entry, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A

The remaining A flag indicates that the ASA is awaiting an ACK segment from the inside host. When the host on the inside responds to the SYN/ACK segment with the corresponding ACK segment, the ASA will clear the A flag and will mark the connection with the U flag, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U

The U flag indicates that the threeway handshake is complete and that the TCP session is established. Once the TCP session is established, the host can begin to exchange data. In this example, the inside host has established a Secure Shell (SSH) session to an outside server. When the outside server sends data to the inside host, the ASA will add the I flag to the entry to indicate that data has passed through the session in the inbound direction. Likewise, the ASA will add the O flag to the entry to indicate that data has passed through the session in the outbound direction. Thus a normal TCP session should have flags similar to those shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIO

By contrast, if the connection were initiated from the outside, the ASA would have added the SaAB flags to the entry, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB

The S flag indicates that the ASA is awaiting a SYN segment from the inside host, and the A flag indicates that the ASA is waiting for an ACK response segment to the SYN that was initiated from the outside host. When the corresponding SYN/ACK segment is received from the inside host, it will satisfy both of these flags and the ASA will clear the flags from the entry, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB

The remaining a flag indicates that the ASA is awaiting an ACK segment from the outside host. When the host on the outside responds to the SYN/ACK segment with the

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments