Personal Stateful Firewall Overview
Understanding Rules with Stateful Inspection ▀
Cisco ASR 5000 Series Product Overview ▄
OL-22938-02
table holds a list of information that identifies the subscriber session it represents. Generally this information includes
the source and destination IP address, flags, sequence, acknowledgement numbers, etc.
When a connection is permitted through the Personal Stateful Firewall enabled chassis, a state entry is created. If a
session connection with same information (source address, source port, destination address, destination port, protocol) is
requested the firewall subsystem compares the packet‘s information to the state table entry to determine the validity of
session. If the packet is currently in a table entry, it allows it to pass, otherwise it is dropped.
Transport and Network Protocols and States
Transport protocols have their connection‘s state tracked in various ways. Many attributes, including IP address and port
combination, sequence numbers, and flags are used to track the individual connection. The combination of this
information is kept as a hash in the state table.
TCP Protocol and Connection State
TCP is considered as a stateful connection-oriented protocol that has well defined session connection states. TCP tracks
the state of its connections with flags as defined for TCP protocol. The following table describes different TCP
connection states.
Table 94.
TCP Connection States
State Flag
Description
TCP (Establishing Connection)
CLOSED
A ―non-state‖ that exists before a connection actually begins.
LISTEN
The state a host is in waiting for a request to start a connection. This is the starting state of a TCP connection.
SYN-SENT
The time after a host has sent out a SYN packet and is waiting for the proper SYN-ACK reply.
SYN-RCVD
The state a host is in after receiving a SYN packet and replying with its SYN-ACK reply.
ESTABLISHED The state a host is in after its necessary ACK packet has been received. The initiating host goes into this state
after receiving a SYN-ACK.
TCP (Closing Connection)
FIN-WAIT-1
The state a connection is in after it has sent an initial FIN packet asking for a graceful termination of the TCP
connection.
CLOSE-WAIT
The state a host‘s connection is in after it receives an initial FIN and sends back an ACK to acknowledge the
FIN.
FIN-WAIT-2
The connection state of the host that has received the ACK response to its initial FIN, as it waits for a final FIN
from its connection peer.
LAST-ACK
The state of the host that just sent the second FIN needed to gracefully close the TCP connection back to the
initiating host while it waits for an acknowledgement.
Summary of Contents for ASR 5000 Series
Page 1: ......
Page 26: ......
Page 48: ...New In Release 10 0 SCM Features Cisco ASR 5000 Series Product Overview OL 22938 02 ...
Page 50: ......
Page 58: ......
Page 68: ......
Page 126: ......
Page 138: ......
Page 146: ......
Page 218: ......
Page 236: ......
Page 356: ......
Page 374: ......
Page 422: ......
Page 496: ......
Page 572: ......
Page 654: ......
Page 700: ......
Page 726: ......
Page 784: ......
Page 816: ......
Page 844: ......
Page 906: ......
Page 926: ......
Page 942: ......
Page 943: ...Cisco ASR 5000 Series Product Overview OL 22938 02 Chapter 30 Technical Specifications ...
Page 966: ......
Page 972: ......