EasyManua.ls Logo

Cisco ASA 5555-X

Cisco ASA 5555-X
428 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
16-2
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 16 Connection Settings
Configure Connection Settings
TCP sequence randomization—Each TCP connection has two ISNs: one generated by the client
and one generated by the server. By default, the ASA randomizes the ISN of the TCP SYN passing
in both the inbound and outbound directions. Randomization prevents an attacker from predicting
the next ISN for a new connection and potentially hijacking the new session. You can disable
randomization per traffic class if desired.
TCP Normalization—The TCP Normalizer protects against abnormal packets. You can configure
how some types of packet abnormalities are handled by traffic class.
TCP State Bypass—You can bypass TCP state checking if you use asymmetrical routing in your
network.
Configure Connection Settings
Connection limits, timeouts, TCP Normalization, TCP sequence randomization, and decrementing
time-to-live (TTL) have default values that are appropriate for most networks. You need to configure
these connection settings only if you have unusual requirements, your network has specific types of
configuration, or if you are experiencing unusual connection loss due to premature idle timeouts.
TCP Intercept, TCP State Bypass, and Dead Connection Detection (DCD) are not enabled. You would
configure these services on specific traffic classes only, and not as a general service.
The following general procedure covers the gamut of possible connection setting configurations. Pick
and choose which to implement based on your needs.
Procedure
Step 1 Configure Global Timeouts, page 16-3. These settings change the default idle timeouts for various
protocols for all traffic that passes through the device. If you are having problems with connections being
reset due to premature timeouts, first try changing the global timeouts.
Step 2 Protect Servers from a SYN Flood DoS Attack (TCP Intercept), page 16-4. Use this procedure to
configure TCP Intercept.
Step 3 Customize Abnormal TCP Packet Handling (TCP Maps, TCP Normalizer), page 16-7, if you want to
alter the default TCP Normalization behavior for specific traffic classes.
Step 4 Bypass TCP State Checks for Asynchronous Routing (TCP State Bypass), page 16-10, if you have this
type of routing environment.
Step 5 Disable TCP Sequence Randomization, page 16-13, if the default randomization is scrambling data for
certain connections.
Step 6 Configure Connection Settings for Specific Traffic Classes (All Services), page 16-14. This is a catch-all
procedure for connection settings. These settings can override the global defaults for specific traffic
classes using service policy rules. You also use these rules to customize TCP Normalizer, change TCP
sequence randomization, decrement time-to-live on packets, and implement TCP Intercept, Dead
Connection Detection, or TCP State Bypass.

Table of Contents

Other manuals for Cisco ASA 5555-X

Related product manuals