Filter
Top Products
22-7
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 22 Configuring Connection Settings
Configuring Connection Settings
If they are not put in order and passed on within the timeout period, then they are dropped. The default
is 4 seconds. You cannot change the timeout for any traffic if the Queue Limit is set to 0; you need to set
the limit to be 1 or above for the Timeout to take effect.
Step 5 In the Reserved Bits area, click Clear and allow, Allow only, or Drop.
Allow only allows packets with the reserved bits in the TCP header.
Clear and allow clears the reserved bits in the TCP header and allows the packet.
Drop drops the packet with the reserved bits in the TCP header.
Step 6 Check any of the following options:
• Clear urgent flag—Clears the URG flag through the ASA. The URG flag is used to indicate that the
packet contains information that is of higher priority than other data within the stream. The TCP
RFC is vague about the exact interpretation of the URG flag, therefore end systems handle urgent
offsets in different ways, which may make the end system vulnerable to attacks.
• Drop connection on window variation—Drops a connection that has changed its window size
unexpectedly. The window size mechanism allows TCP to advertise a large window and to
subsequently advertise a much smaller window without having accepted too much data. From the
TCP specification, “shrinking the window” is strongly discouraged. When this condition is detected,
the connection can be dropped.
• Drop packets that exceed maximum segment size—Drops packets that exceed MSS set by peer.
• Check if transmitted data is the same as original—Enables the retransmit data checks.
• Drop packets which have past-window sequence—Drops packets that have past-window sequence
numbers, namely the sequence number of a received TCP packet is greater than the right edge of the
TCP receiving window. If you do not check this option, then the Queue Limit must be set to 0
(disabled).
• Drop SYN Packets with data—Drops SYN packets with data.
• Enable TTL Evasion Protection—Enables the TTL evasion protection offered by the ASA. Do not
enable this option if you want to prevent attacks that attempt to evade security policy.
• For example, an attacker can send a packet that passes policy with a very short TTL. When the TTL
goes to zero, a router between the ASA and the endpoint drops the packet. It is at this point that the
attacker can send a malicious packet with a long TTL that appears to the ASA to be a retransmission
and is passed. To the endpoint host, however, it is the first packet that has been received by the
attacker. In this case, an attacker is able to succeed without security preventing the attack.
• Verify TCP Checksum—Enables checksum verification.
• Drop SYNACK Packets with data—Drops TCP SYNACK packets that contain data.
• Drop packets with invalid ACK—Drops packets with an invalid ACK. You might see invalid ACKs
in the following instances:
–
In the TCP connection SYN-ACK-received status, if the ACK number of a received TCP packet
is not exactly same as the sequence number of the next TCP packet sending out, it is an invalid
ACK.
–
Whenever the ACK number of a received TCP packet is greater than the sequence number of
the next TCP packet sending out, it is an invalid ACK.
Note TCP packets with an invalid ACK are automatically allowed for WAAS connections.
Step 7 To set TCP options, check any of the following options: