Translation and Connection Verification
Once you have configured your address translation policies with the global, nat, and static commands, you are now ready to use show commands to verify your configuration. The following sections cover these commands.
Viewing Active Translations
One of the more important commands that you will use when troubleshooting problems with connections is the show xlate command. This command shows the translations that are in the translation or xlate table. The syntax of the show xlate command is
ciscoasa# show xlate [detail] [{global | local}
IP_address1[-IP_address2]
[netmask subnet_mask]]
{gport | lport} port[-port]]
[interface interface_name_1 [,interface_name_X]
[state state_information]
Typing show xlate by itself lists the entire translation table. Table 5-4 explains the rest of the parameters for this command.
Parameter | Explanation |
---|---|
detail | Displays the translation type as well as the interfaces the connection traverses. |
global | local | Displays only the global or local addresses in the output. |
gport | lport | Displays translations for the specified global or local port number(s). |
interface | Displays only the translations for the specified interfaces. |
state | Displays the connections by their state. You can also limit the output of the display by specifying the state(s) that you are interested in: translations configured by the static command (static); translations being removed (dump); translations configured with PAT by global command (portmap); translations defined by the nat or static command with the norandomseq parameter (norandomseq); or translations defined with the nat 0 configuration (identity). |
An example of the output of the show xlate command is shown here:
ciscoasa# show xlate
Global 200.200.200.10 Local 172.16.7.80 nconns 1 econns 0
Global 200.200.200.11 Local 172.16.7.81 nconns 3 econns 0
In this example, the global address is the address that external devices use to access the internal device, displayed as the local address. For example, if someone from the outside world wanted to access 172.16.7.80, he would use a destination address of 200.200.200.10. Two other items in this display are of interest: nconns refers to the number of connections that are currently open to this address, and econns refers to the number of half-open (embryonic) connections.
The following is an example using the detail parameter:
ciscoasa# show xlate detail
3 in use, 3 most used
Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
o - outside, r - portmap, s - static
TCP PAT from inside:172.16.7.80/1026 to outside:200.200.200.1/1024
flags ri
UDP PAT from inside:172.16.7.80/1028 to outside:200.200.200.1/1024
flags ri
ICMP PAT from inside:172.16.7.80/21505 to outside:200.200.200.1/0
flags ri
This example has three PAT connections. Notice the flags listed at the end. The r indicates that this is a port map (PAT) connection, and the i indicates an inside address. Also notice that you can see the interfaces involved in the translation—all three are between the inside and outside interfaces.
Viewing Active Connections
The appliances keep track of the connections going through them by placing connection information in a state/connection table, called a conn table. Remember that the appliances are only stateful for TCP and UDP connections by default, but can also be stateful for ICMP. The appliances allow traffic from a lower-level-security interface to a higher-level one if there is a corresponding entry in the connection table. An entry is placed in the connection table in two basic ways:
-
A connection is added when a TCP or UDP connection is initiated from a higher-level interface to a lower one—this allows the returning inbound traffic to the source.
-
A connection is added when inbound traffic is allowed by an ACL and a connection matches a permit statement—this allows the returning outbound traffic to the source.
To see the connections in the connection table, use the show conn command:
ciscoasa# show conn [detail] [count] [{foreign | local}
IP_address_1[-IP_address_2]]
[netmask subnet_mask]
[protocol {tcp | udp | protocol]}
[fport | lport port_1[-port_2]]
[state state_information]
Typing show conn by itself lists the entire state table. Table 5-5 explains the rest of the parameters for this command.
Parameter | Explanation |
---|---|
detail | Displays the translation type as well as the interfaces the connection traverses. |
count | Displays only the number of connections in the table—this can help you figure out if you have purchased the right connection license and/or security appliance. |
foreign | local | Displays only the specified foreign or local addresses. |
protocol | Displays only the specified IP protocol. |
fport | lport | Displays translations for the specified foreign or local port number(s). |
state | Displays the connections by their state. You can also limit the output of the display by specifying the state(s) that you are interested in. |
An example of the output of the show conn command is shown here:
ciscoasaa# show conn
6 in use, 6 most used
TCP out 202.202.202.1:80 in 192.168.1.5:1404 idle 0:00:00 Bytes 11391
TCP out 202.202.202.1:80 in 192.168.1.5:1405 idle 0:00:00 Bytes 3709
TCP out 202.202.202.1:80 in 192.168.1.5:1406 idle 0:00:01 Bytes 2685
TCP out 202.202.202.1:80 in 192.168.1.5:1407 idle 0:00:01 Bytes 2683
In this output, the internal host (in) 192.168.1.5 accessed an external web server (out) at 202.202.202.1.
An example of the output of the show conn detail command is shown here:
ciscoasa(config)# show conn detail
1 in use, 2 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, D - DNS, d - dump,
E - outside back connection, f - inside FIN, F - outside FIN,
G - group, H - H.323, I - inbound data, M - SMTP data,
O - outbound data, P - inside back connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP RPC, r - inside acknowledged FIN,
S - awaiting inside SYN,
s - awaiting outside SYN, U - up
TCP outside:202.202.202.32/23 inside:192.168.1.10/1026 flags UIO
In this example, at the top of the display is a table explaining the flags that you may see at the end of a connection entry. Below this table is a TCP telnet connection that was initiated by 192.168.1.10 (inside) to 202.202.202.32 (outside). Its flags indicate that it is active and that it allows both inbound and outbound transfer of data.
Viewing Local Host Information
Starting in version 7.0, you can view and clear the translations and connections of local hosts in one command: show local-host or clear local-host. These commands allow you to view the conn and xlate entries for all hosts associated with an interface or interfaces, or a particular host, making it easier to understand what traffic is going through the appliance. The full syntax of these commands is as follows:
ciscoasa# show local-host [IP_address] [detail]
ciscoasa# clear local-host [IP_address] [all]
Here’s an example of viewing a summary of the host information:
ciscoasa# show local-host
Licensed host limit: Unlimited
Interface inside: 1 active, 5 maximum active, 0 denied
Interface outside: 0 active, 0 maximum active, 0 denied
In this example, no per-host licensing is on the appliance, and currently one connection is in the state table associated with the inside interface. This command gives you a quick idea as to the number of entries in the state table per interface, and the maximum that was seen for each interface.
Here’s another example of this command, but specifying a single host and using the detail parameter:
ciscoasa# show local-host 10.1.1.1 detail
Interface third: 0 active, 0 maximum active, 0 denied
Interface inside: 1 active, 1 maximum active, 0 denied
local host: <10.1.1.1>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to (from) host = 0 (0)
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Xlate:
TCP PAT from inside:10.1.1.1/4984 to outside:192.1.1.1/1024 flags ri
Conn:
TCP outside:192.1.1.1/21 inside:10.1.1.1/4984 flags UI Interface
outside: 1 active, 1
maximum active, 0 denied
In this example, you can see one PAT translation in the xlate table and one connection in the conn table for 10.1.1.1.
Clearing Entries in the Xlate and Conn Tables
Anytime that you make policy changes (as with the nat, global, static, access-list, and many other commands) that affect existing entries in the translation and/or conn tables, you should execute the clear xlate command to remove the existing entries so that the new policy changes will apply to the users: executing this command will enforce the new changes.
The syntax of the clear xlate command is shown here:
ciscoasa# clear xlate [global ip1[-ip2] [netmask mask]]
[local ip1[-ip2] [netmask mask]]
[gport port1[-port2]] [lport port1[-port2]]
[interface logical_if_name] [state state]
If you don’t specify any parameters, all translations will be cleared from the xlate table and all connections will be cleared from the conn table. Most people assume that since the command has “xlate” in it, that the command only affects the xlate table: this is not true! Of course, you can be specific about which entry (or entries) is to be cleared. Refer to Table 5-4 for an explanation of these parameters.
Security Alert! | Anytime you add, change, or delete a translation policy, you should clear the translation table with the clear xlate command in order for your changes to take effect on existing traffic and connections. Also, when using the clear xlate command, always qualify it: without any parameters to qualify the command, the entire conn and xlate tables are cleared, breaking any existing connections in the state table, which might upset quite a few administrators and users! |