48-6
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 48 Configuring Connection Settings
Configuring Connection Settings
• Configuring Global Timeouts, page 48-9
Task Flow For Configuring Configuration Settings (Except Global Timeouts)
Step 1 For TCP normalization customization, create a TCP map according to the “Customizing the TCP
Normalizer with a TCP Map” section on page 48-6.
Step 2 For all connection settings except for global timeouts, configure a service policy according to
Chapter 29, “Configuring a Service Policy.”
Step 3 Configure connection settings according to the “Configuring Connection Settings” section on page 48-8.
Customizing the TCP Normalizer with a TCP Map
To customize the TCP normalizer, first define the settings using a TCP map.
Detailed Steps
Step 1 Choose the Configuration > Firewall > Objects > TCP Maps pane, and click Add.
The Add TCP Map dialog box appears.
Step 2 In the TCP Map Name field, enter a name.
Step 3 In the Queue Limit field, enter the maximum number of out-of-order packets, between 0 and 250 packets.
The Queue Limit sets the maximum number of out-of-order packets that can be buffered and put in order
for a TCP connection. The default is 0, which means this setting is disabled and the default system queue
limit is used depending on the type of traffic:
• Connections for application inspection, IPS, and TCP check-retransmission have a queue limit of 3
packets. If the adaptive security appliance receives a TCP packet with a different window size, then
the queue limit is dynamically changed to match the advertised setting.
• For other TCP connections, out-of-order packets are passed through untouched.
If you set the Queue Limit command to be 1 or above, then the number of out-of-order packets allowed
for all TCP traffic matches this setting. For application inspection, IPS, and TCP check-retransmission
traffic, any advertised settings are ignored. For other TCP traffic, out-of-order packets are now buffered
and put in order instead of passed through untouched.
Step 4 In the Timeout field, set the maximum amount of time that out-of-order packets can remain in the buffer,
between 1 and 20 seconds.
If they are not put in order and passed on within the timeout period, then they are dropped. The default
is 4 seconds. You cannot change the timeout for any traffic if the Queue Limit is set to 0; you need to set
the limit to be 1 or above for the Timeout to take effect.
Step 5 In the Reserved Bits area, click Clear and allow, Allow only, or Drop.
Allow only allows packets with the reserved bits in the TCP header.
Clear and allow clears the reserved bits in the TCP header and allows the packet.
Drop drops the packet with the reserved bits in the TCP header.
Step 6 Check any of the following options:
To Next Page
Loading...
Need help?
General
