Understanding ASA commands

How to interpret show route output in ASA:

ASA# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 10.50.50.1 to network 0.0.0.0
S    192.168.120.0 255.255.255.0 [1/0] via 10.64.55.1, inside

In output of the command [1/0] represents AD/Metric

Understanding show conn, show conn detailed, show xlate, show xlate detailed:

topology-1

IP address of R1 is 11.11.11.11 and IP address of R2 is 12.12.12.12

When R1 will do a telnet to R2 following will be showing in the output without any NAT configuration:

Note connection table will have entry for return traffic.

ciscoasa# show conn
2 in use, 2 most used

TCP outside  12.12.12.12:23 inside  11.11.11.11:41758, idle 0:00:00, bytes 76, flags UIO

ciscoasa# show conn detail
2 in use, 2 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
       B - initial SYN from outside, b - TCP state-bypass or nailed,
       C - CTIQBE media, c - cluster centralized,
       D - DNS, d - dump, E - outside back connection, e - semi-distributed,
       F - outside FIN, f - inside FIN,
       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
       k - Skinny media, L - LISP triggered flow owner mobility
       M - SMTP data, m - SIP media, n - GUP
       N - inspected by Snort
       O - outbound data, o - offloaded,
       P - inside back connection,
       Q - Diameter, q - SQL*Net data,
       R - outside acknowledged FIN,
       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
       V - VPN orphan, W - WAAS,
       w - secondary domain backup,
       X - inspected by service module,
       x - per session, Y - director stub flow, y - backup stub flow,
       Z - Scansafe redirection, z - forwarding stub flow

TCP outside: 12.12.12.12/23 inside: 11.11.11.11/41758,
    flags UIO , idle 1s, uptime 1s, timeout 1h0m, bytes 76

When there is a PAT configured on ASA. PAT rule will be like  when someone comes from 11.11.11.0/24 subnet going to outside PAT it to 12.12.12.1 Now when R1 will do a telnet to R2 connection table will show same info as shown without NAT and xlate table will have info of NAT.

ASA1# show conn
3 in use, 9 most used

TCP outside 12.12.12.12:23 inside 11.11.11.11:51822, idle 0:00:03, bytes 99, flags UIO

ASA1# show conn detail
4 in use, 9 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
 B - initial SYN from outside, b - TCP state-bypass or nailed,
 C - CTIQBE media, c - cluster centralized,
 D - DNS, d - dump, E - outside back connection, e - semi-distributed,
 F - outside FIN, f - inside FIN,
 G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
 i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
 k - Skinny media, L - LISP triggered flow owner mobility
 M - SMTP data, m - SIP media, n - GUP
 N - inspected by Snort
 O - outbound data, o - offloaded,
 P - inside back connection,
 Q - Diameter, q - SQL*Net data,
 R - outside acknowledged FIN,
 R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
 s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
 V - VPN orphan, W - WAAS,
 w - secondary domain backup,
 X - inspected by service module,
 x - per session, Y - director stub flow, y - backup stub flow,
 Z - Scansafe redirection, z - forwarding stub flow

TCP outside: 12.12.12.12/23 inside: 11.11.11.11/51822,
 flags UIO , idle 5s, uptime 5s, timeout 1h0m, bytes 99, xlate id 0x7f69d43f3b80




ASA1# show xlate
2 in use, 4 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
 s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
 flags sIT idle 0:04:14 timeout 0:00:00

TCP PAT from inside:11.11.11.11/51822 to outside:12.12.12.1/51822 flags ri idle 0:00:08 timeout 0:00:30

ASA1# show xlate detail
2 in use, 4 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
 s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
 flags sIT idle 0:04:17 timeout 0:00:00 refcnt 0 xlate id 0x7f69d43f3d80

TCP PAT from inside:11.11.11.11/51822 to outside:12.12.12.1/51822 flags ri idle 0:00:12 timeout 0:00:30 refcnt 1 xlate id 0x7f69d43f3b80
ASA1#
Advertisements
This entry was posted in ASA. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s