7.1 思科ASA： show conn 查看防火墙会话、ASA TCP连接标志

7.1  思科ASA： show conn  查看防火墙会话、ASA TCP连接标志

ciscoasa#

ciscoasa#

ciscoasa# show xlate

0 in use, 0 most used

ciscoasa# show conn 

7 in use, 11 most used

UDP dmz  192.168.2.200:137 a  192.168.1.100:137, idle 0:00:15, bytes 1566, flags -

TCP dmz  192.168.2.200:8080 a  192.168.1.100:1087, idle 0:00:25, bytes 0, flags UB

TCP dmz  192.168.2.200:8080 a  192.168.1.100:1086, idle 0:00:25, bytes 0, flags UB

TCP dmz  192.168.2.200:8080 a  192.168.1.100:1085, idle 0:00:25, bytes 0, flags UB

TCP dmz  192.168.2.200:8080 a  192.168.1.100:1084, idle 0:00:21, bytes 33524, flags UIOB

TCP dmz  192.168.2.200:8080 a  192.168.1.100:1083, idle 0:00:21, bytes 18079, flags UIOB

TCP dmz  192.168.2.200:8080 a  192.168.1.100:1082, idle 0:00:24, bytes 4778, flags UIOB

ciscoasa#

windows电脑端查看：

查看某些地址的会话

ASA TCP连接标志

当您通过自适应安全设备(ASA)排除TCP连接故障时，为每个TCP连接显示的连接标志会提供有关TCP与ASA连接状态的大量信息。此信息可用于排除ASA的问题以及网络中其他地方的问题。

以下是show conn protocol tcp命令的输出，该命令显示通过ASA的所有TCP连接的状态。这些连接也可通过show conn命令来查看。

ASA# show conn protocol tcp

101 in use, 5589 most used

TCP outside 10.23.232.59:5223 inside 192.168.1.3:52419, idle 0:00:11, bytes 0, flags saA

TCP outside 192.168.3.5:80 dmz 172.16.103.221:57646, idle 0:00:29, bytes 2176, flags UIO

TCP outside 10.23.232.217:5223 inside 192.168.1.3:52425, idle 0:00:10, bytes 0, flags saA

TCP outside 10.23.232.217:443 inside 192.168.1.3:52427, idle 0:01:02, bytes 4504, flags UIO

TCP outside 10.23.232.57:5223 inside 192.168.1.3:52412, idle 0:00:23, bytes 0, flags saA

TCP outside 10.23.232.116:5223 inside 192.168.1.3:52408, idle 0:00:23, bytes 0, flags saA

TCP outside 10.23.232.60:5223 inside 192.168.1.3:52413, idle 0:00:23, bytes 0, flags saA

TCP outside 10.23.232.96:5223 inside 192.168.1.3:52421, idle 0:00:11, bytes 0, flags saA

TCP outside 10.23.232.190:5223 inside 192.168.1.3:52424, idle 0:00:10, bytes 0, flags saA

下图显示ASA TCP连接标志在TCP状态机的不同阶段。在ASA上使用show conn命令可以看到连接标志。

TCP连接标志值

此外，要查看所有可能的连接标志，请在命令行上发出show connection detail命令：

ASA5515-X# show conn detail

35 in use, 199 most used

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,

       B - initial SYN from outside, b - TCP state-bypass or nailed,

       C - CTIQBE media, c - cluster centralized,

       D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,

       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,

       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response

       k - Skinny media, M - SMTP data, m - SIP media, n - GUP

       O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,

       q - SQL*Net data, R - outside acknowledged FIN,

       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,

       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,

       V - VPN orphan, W - WAAS,

       X - inspected by service module,

       x - per session, Y - director stub flow, y - backup stub flow,

       Z - Scansafe redirection, z - forwarding stub flow

有时候配置了策略，应用后还没有生效，则可以试试clear conn all  

思科Cisco ASA防火墙（列表、list、全）asalist、防火墙list
http://www.zh-cjh.com/wenzhangguilei/2594.html
文章归类、所有文章列表、LISTLIST
http://www.zh-cjh.com/wangzhangonggao/2195.html