Translations are at the IP layer, and connections are at the
transport layer, TCP specifically. Connections are subsets of translations.
Many connections can be open under one translation
.
The show conn Command
The
show conn command displays information about the active TCP
connections. In Figure
, there
are two connections between host 10.0.0.11 and webserver 192.168.10.11.
Connections are addressed to TCP port 80 on the webserver. The replies are
addressed host 10.0.0.11 ports 2824 and 2823.
The syntax for the
show conn command is shown in Figure
.
The show conn
detail Command
When the show conn
detail option is used, the system displays information about the
translation type, interface information, IP address/port number, and connection
flags. In Figure
, the two
connections display a flag value of UIO. According the flag definition, the
connections are up. The connections are passing inbound and outbound data.
The show
local-host Command
The show
local-host command displays the network states of local hosts. A
local-host entry is created for any host that forwards traffic to, or through,
the PIX Security Appliance. This command shows the translation and connection
slots for the local hosts. In Figure
, the inside host
10.0.0.11 establishes a web connection with server 192.168.10.11. The output of
the show local-host command is displayed in Figure
.
This
command also displays the connection limit values. In Figure
, the TCP flow
count with no limit. If a connection limit is not set, the value displays as 0
or unlimited and the limit is not applied. In the event of a syn attack, with
TCP intercept configured, the show local-host command
output includes the number of intercepted connections in the usage count.
The clear local-host command or the clear
local-host [ip_address] command can be used to clear the
network state of all local hosts, or a specific IP address. It stops all
connections and xlates that are associated with the local hosts, or specific IP
address specified in the command.
The syntax for the
local-host command is shown in Figure
.
The show xlate Command
The
xlate command enables the administrator to show or clear
the contents of the translation, or xlate slots. Translation slots can remain
indefinitely after key changes have been made. Always use clear
xlate or reload after adding, changing, or
removing access-list, global,
nat, route, or
static commands in the configuration. In Figure
, Host 10.0.0.11
is translated to a global address of 192.168.0.20 by the PIX Security
Appliance.
The syntax for the xlate command is shown
in Figure
.
The show xlate
detail Command
When the show xlate
detail option is used, the system displays information about the
translation, interface information, IP address, and the type of translation. In
Figure
, the translation displays a flag value of "i". According the
flag definition, the "i" translation is a dynamic translation.
The show timeout Command
The
show timeout command displays the idle time for connection
and translation slots. If the slot has not been used for the idle time
specified, the resource is returned to the free pool. TCP connection slots are
freed approximately 60 seconds after a normal connection close sequence.
The following is sample output from the show timeout command:
show timeout
timeout xlate
3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp
0:02:00