16-13
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 16 Connection Settings
Configure Connection Settings
Examples
The following is a sample configuration for TCP state bypass:
hostname(config)#
access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.224 any
hostname(config)#
class-map tcp_bypass
hostname(config-cmap)#
description "TCP traffic that bypasses stateful firewall"
hostname(config-cmap)#
match access-list tcp_bypass
hostname(config-cmap)#
policy-map tcp_bypass_policy
hostname(config-pmap)#
class tcp_bypass
hostname(config-pmap-c)#
set connection advanced-options tcp-state-bypass
hostname(config-pmap-c)#
service-policy tcp_bypass_policy outside
Disable TCP Sequence Randomization
Each TCP connection has two ISNs: one generated by the client and one generated by the server. The
ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.
Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new
connection and potentially hijacking the new session.
You can disable TCP initial sequence number randomization if necessary, for example, because data is
getting scrambled. For example:
•
If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both
firewalls to be performing this action, even though this action does not affect the traffic.
•
If you use eBGP multi-hop through the ASA, and the eBGP peers are using MD5. Randomization
breaks the MD5 checksum.
•
You use a WAAS device that requires the ASA not to randomize the sequence numbers of
connections.
Procedure
Step 1
Create an L3/L4 class map to identify the traffic whose TCP sequence numbers should not be
randomized. The class match should be for TCP traffic; you can identify specific hosts (with an ACL)
do a TCP port match, or simply match any traffic.
class-map
name
match
parameter
Example:
hostname(config)#
access-list preserve-sq-no extended permit tcp any host 10.2.2.2
hostname(config)#
class-map no-tcp-random
hostname(config-cmap)#
match access-list preserve-sq-no
Step 2
Add or edit a policy map that sets the actions to take with the class map traffic, and identify the class
map.
policy-map
name
class
name
Example:
hostname(config)#
policy-map global_policy
hostname(config-pmap)#
class preserve-sq-no
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...