Translation ( xlate ) and Connection (conn) Tables
The PIX uses two main tables to track the traffic flowing through the system: the translation (xlate) table and the connection (conn) table. The translation table is used for IP address-to-IP address mapping and is commonly known as the xlate table. For example, as data from Jack travels across the firewall, his source address of 192.168.1.11 is changed to 169.254.8.1. These entries are sometimes called slots .
The connection table contains layer 4 TCP or UDP sessions and is used to track with whom Jack has a current session. For example, as Jack sends data to Peter, a connection is made in the xlate table that represents the session generated between the two. After the two have finished sending data, the connection entry is automatically removed. Listing 5.1 shows the xlate and conn commands.
Listing 5.1 The show xlate and show conn Commands
Pixfirewall# show xlate 1 in use, 53 most used PAT Global 169.254.8.1(1237) Local 192.168.1.11(1969) Pixfirewall# Pixfirewall# show conn 1 in use, 5 most used TCP out 169.254.69.66:80 in 192.168.1.11:1969 idle 0:00:03 Bytes 334 Pixfirewall#
Listing 5.1 shows that the local address 192.168.1.11 (Jack) is being translated to 169.254.8.1. The show conn command shows that a TCP session exists between 192.168.1.11 (Jack) and IP address 169.254.69.66.
The following demonstrates the step-by-step flow that occurs as Jack's computer connects to Peter's computer through the PIX firewall:
Note that the xlate slot is not removed yet; if Jack wants to communicate with Peter or another computer, the xlate slot for 192.168.1.11 to 169.254.8.1 is reused. In Figure 5.2 Jack's computer is connecting to four Web servers on the Internet and the PIX is using NAT to translate addresses. The xlate table shows a single entry for the translation, and the conn table displays the four TCP sessions created to each Web site. Figure 5.2 displays Jack's xlate and connection information.
Figure 5.2. xlate and conn tables.
The show and clear xlate Table Commands
The xlate command has several parameters that can be used with it. When using the xlate by itself, you display or clear the entire table. The parameters give you the granularity to work with only a few entries or groups of entries. The following is the xlate command's syntax:
showclear xlate [globallocal <ip1[-ip2]> [netmask <mask>]] [gport lport <port1[-port2]>] [interface <if1[,if2]>] [state <static[,portmap][,norandomseq][,identity]>] [debug] [count]
Table 5.1 displays several xlate commands and their descriptions.
Table 5.1. xlate Commands
The show conn Table Commands
The conn command is very similar to the xlate command; you can view or affect the entire table or just a subset of its entries. Remember that the connection table is used to monitor and control the sessions between two computers. Therefore, the parameters for the conn command include things such as FIN, TCP, and UDP. The command syntax is as follows :
show conn [count] [protocol <tcpudp>] [foreignlocal <ip1[-ip2]> [netmask <mask>]] [lportfport <port1[-port2>] [state <up[,finin][,finout][,http_get][,smtp_data] [,data_in][,data_out][,...]>]
Table 5.2. conn Commands