11-7
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 11 Connection Settings
Configure Connection Settings
Customize Abnormal TCP Packet Handling (TCP Maps, TCP Normalizer)
The TCP Normalizer identifies abnormal packets that the ASA can act on when they are detected; for
example, the ASA can allow, drop, or clear the packets. TCP normalization helps protect the ASA from
attacks. TCP normalization is always enabled, but you can customize how some features behave.
The default configuration includes the following settings:
no check-retransmission
no checksum-verification
exceed-mss allow
queue-limit 0 timeout 4
reserved-bits allow
syn-data allow
synack-data drop
invalid-ack drop
seq-past-window drop
tcp-options range 6 7 clear
tcp-options range 9 255 clear
tcp-options selective-ack allow
tcp-options timestamp allow
tcp-options window-scale allow
ttl-evasion-protection
urgent-flag clear
window-variation allow-connection
To customize the TCP normalizer, first define the settings using a TCP map. Then, you can apply the
map to selected traffic classes using service policies.
Procedure
Step 1
Create a TCP map to specify the TCP normalization criteria that you want to look for.
hostname(config)#
tcp-map
tcp-map-name
Step 2
Configure the TCP map criteria by entering one or more of the following commands. The defaults are
used for any commands you do not enter. Use the
no
form of a command to disable the setting.
•
check-retransmission
—Prevent inconsistent TCP retransmissions. This command is disabled by
default.
•
checksum-verification
—Verify the TCP checksum, dropping packets that fail verification. This
command is disabled by default.
•
exceed-mss
{
allow
|
drop
}—Allow or drop packets whose data length exceeds the TCP maximum
segment size. The default is to allow the packets.
•
invalid-ack
{
allow
|
drop
}—Allow or drop packets with an invalid ACK. The default is to drop the
packet, with the exception of WAAS connections, where they are allowed. You might see invalid
ACKs in the following instances:
–
In the TCP connection SYN-ACK-received status, if the ACK number of a received TCP packet
is not exactly the same as the sequence number of the next TCP packet sending out, it is an
invalid ACK.
–
Whenever the ACK number of a received TCP packet is greater than the sequence number of
the next TCP packet sending out, it is an invalid ACK.
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...