PIX Security Appliance Translations and Connections
Connections and translations

Translations are at the IP layer, and connections are at the transport layer, TCP specifically. Connections are subsets of translations. Many connections can be open under one translation .

The show conn Command
The show conn command displays information about the active TCP connections. In Figure , there are two connections between host 10.0.0.11 and webserver 192.168.10.11. Connections are addressed to TCP port 80 on the webserver. The replies are addressed host 10.0.0.11 ports 2824 and 2823.

The syntax for the show conn command is shown in Figure .

The show conn detail Command
When the show conn detail option is used, the system displays information about the translation type, interface information, IP address/port number, and connection flags. In Figure , the two connections display a flag value of UIO. According the flag definition, the connections are up. The connections are passing inbound and outbound data.

The show local-host Command
The show local-host command displays the network states of local hosts. A local-host entry is created for any host that forwards traffic to, or through, the PIX Security Appliance. This command shows the translation and connection slots for the local hosts. In Figure , the inside host 10.0.0.11 establishes a web connection with server 192.168.10.11. The output of the show local-host command is displayed in Figure .

This command also displays the connection limit values. In Figure , the TCP flow count with no limit. If a connection limit is not set, the value displays as 0 or unlimited and the limit is not applied. In the event of a syn attack, with TCP intercept configured, the show local-host command output includes the number of intercepted connections in the usage count.

The clear local-host command or the clear local-host [ip_address] command can be used to clear the network state of all local hosts, or a specific IP address. It stops all connections and xlates that are associated with the local hosts, or specific IP address specified in the command.

The syntax for the local-host command is shown in Figure .

The show xlate Command
The xlate command enables the administrator to show or clear the contents of the translation, or xlate slots. Translation slots can remain indefinitely after key changes have been made. Always use clear xlate or reload after adding, changing, or removing access-list, global, nat, route, or static commands in the configuration. In Figure , Host 10.0.0.11 is translated to a global address of 192.168.0.20 by the PIX Security Appliance.

The syntax for the xlate command is shown in Figure .

The show xlate detail Command
When the show xlate detail option is used, the system displays information about the translation, interface information, IP address, and the type of translation. In Figure , the translation displays a flag value of "i". According the flag definition, the "i" translation is a dynamic translation.

The show timeout Command
The show timeout command displays the idle time for connection and translation slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60 seconds after a normal connection close sequence.

The following is sample output from the show timeout command:

show timeout
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00