Cisco Cisco Packet Data Gateway (PDG) Documentation Roadmaps
Personal Stateful Firewall Overview
Understanding Rules with Stateful Inspection ▀
Cisco ASR 5000 Series Product Overview ▄
OL-22938-01
table holds a list of information that identifies the subscriber session it represents. Generally this information includes
the source and destination IP address, flags, sequence, acknowledgement numbers, etc.
the source and destination IP address, flags, sequence, acknowledgement numbers, etc.
When a connection is permitted through the Personal Stateful Firewall enabled chassis, a state entry is created. If a
session connection with same information (source address, source port, destination address, destination port, protocol) is
requested the firewall subsystem compares the packet‘s information to the state table entry to determine the validity of
session. If the packet is currently in a table entry, it allows it to pass, otherwise it is dropped.
session connection with same information (source address, source port, destination address, destination port, protocol) is
requested the firewall subsystem compares the packet‘s information to the state table entry to determine the validity of
session. If the packet is currently in a table entry, it allows it to pass, otherwise it is dropped.
Transport and Network Protocols and States
Transport protocols have their connection‘s state tracked in various ways. Many attributes, including IP address and port
combination, sequence numbers, and flags are used to track the individual connection. The combination of this
information is kept as a hash in the state table.
combination, sequence numbers, and flags are used to track the individual connection. The combination of this
information is kept as a hash in the state table.
TCP Protocol and Connection State
TCP is considered as a stateful connection-oriented protocol that has well defined session connection states. TCP tracks
the state of its connections with flags as defined for TCP protocol. The following table describes different TCP
connection states.
the state of its connections with flags as defined for TCP protocol. The following table describes different TCP
connection states.
Table 93. TCP Connection States
State Flag
Description
TCP (Establishing Connection)
CLOSED
A ―non-state‖ that exists before a connection actually begins.
LISTEN
The state a host is in waiting for a request to start a connection. This is the starting state of a TCP connection.
SYN-SENT
The time after a host has sent out a SYN packet and is waiting for the proper SYN-ACK reply.
SYN-RCVD
The state a host is in after receiving a SYN packet and replying with its SYN-ACK reply.
ESTABLISHED
The state a host is in after its necessary ACK packet has been received. The initiating host goes into this state
after receiving a SYN-ACK.
after receiving a SYN-ACK.
TCP (Closing Connection)
FIN-WAIT-1
The state a connection is in after it has sent an initial FIN packet asking for a graceful termination of the TCP
connection.
connection.
CLOSE-WAIT
The state a host‘s connection is in after it receives an initial FIN and sends back an ACK to acknowledge the
FIN.
FIN.
FIN-WAIT-2
The connection state of the host that has received the ACK response to its initial FIN, as it waits for a final FIN
from its connection peer.
from its connection peer.
LAST-ACK
The state of the host that just sent the second FIN needed to gracefully close the TCP connection back to the
initiating host while it waits for an acknowledgement.
initiating host while it waits for an acknowledgement.