An outside host has established an SSH connection with an inside host. Both hosts have sent and received
data over the SSH session.
Which of the following lines of output from the show conn command best represents the state of the connection
in this scenario? (Select the best answer.)
A.
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB
B.
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags saA
C.
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB
D.
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A
E.
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U
F.
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIOB
Explanation:
The following line of output from the show conn command on a Cisco Adaptive Security Appliance (ASA) best
represents the state of a Secure Shell (SSH) connection that has been established and on which both hosts
have sent and received data:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIOB
The output of the show conn command uses connection flags to indicate the status of each entry in the ASA
connection database. The connection database is used by the stateful firewall feature of the ASA to track the
state of each network connection that passes through it. The flags that an ASA uses to track a connection entry
are dependent on the interface that initiated the connection. Typically, each connection entry has corresponding
inside and outside interfaces. In terms of the connection database, the inside interface for the entry is the
interface with the higher security level, whereas the outside interface for the entry is the interface with the lower
security level. In addition, a data flow from the inside interface to the outside interface is considered to be
moving in the outbound direction and a data flow from the outside interface to the inside interface is considered
to be moving in the inbound direction.
When an ASA receives the first packet from a Transmission Control Protocol (TCP) connection, it creates an
entry in the connection database. The ASA immediately adds the B flag to the entry if the connection was
initiated from the outside. The ASA then uses various flags to indicate the progress of the TCP threeway
handshake. For example, if a connection is initiated from the inside, the ASA will add the saA flags to the entry,
as shown in the following command output: TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00,
bytes 0, flags saA
The s flag indicates that the ASA is awaiting a SYN segment from the outside host, and the a flag indicates that
the ASA is waiting for an ACK response segment to the SYN that was initiated from the inside host. When the
corresponding SYN/ACK segment is received from the outside host, it will satisfy both of these flags and the
ASA will clear the flags from the entry, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A
The remaining A flag indicates that the ASA is awaiting an ACK segment from the inside host. When the host
on the inside responds to the SYN/ACK segment with the corresponding ACK segment, the ASA will clear the A
flag and will mark the connection with the U flag, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U
The U flag indicates that the threeway handshake is complete and that the TCP session is established. Once
the TCP session is established, the host can begin to exchange data. In this example, the inside host has
established an SSH session to an outside server. When the outside server sends data to the inside host, the
ASA will add the I flag to the entry to indicate that data has passed through the session in the inbound
direction. Likewise, the ASA will add the O flag to the entry to indicate that data has passed through the session
in the outbound direction. Thus a normal TCP session should have flags similar to those shown in the following
command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIO
By contrast, if the connection were initiated from the outside, the ASA would have added the SaAB flags to the
entry, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB
The S flag indicates that the ASA is awaiting a SYN segment from the inside host, and the A flag indicates that
the ASA is waiting for an ACK response segment to the SYN that was initiated from the outside host. When the
corresponding SYN/ACK segment is received from the inside host, it will satisfy both of these flags and the ASA
will clear the flags from the entry, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aBThe remaining a flag indicates that the ASA is awaiting an ACK segment from the outside host. When the host
on the outside responds to the SYN/ACK segment with the corresponding ACK segment, the ASA will clear the
a flag and will mark the connection with