Cisco Systems ASA 5540 Network Router User Manual


  Open as PDF
of 2086
 
57-6
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 57 Configuring Connection Settings
Configuring Connection Settings
Customizing the TCP Normalizer with a TCP Map, page 57-6
Configuring Connection Settings, page 57-8
Configuring Global Timeouts, page 57-9
Task Flow For Configuring Configuration Settings (Except Global Timeouts)
Step 1 For TCP normalization customization, create a TCP map according to the “Customizing the TCP
Normalizer with a TCP Map” section on page 57-6.
Step 2 For all connection settings except for global timeouts, configure a service policy according to
Chapter 36, “Configuring a Service Policy.”
Step 3 Configure connection settings according to the “Configuring Connection Settings” section on page 57-8.
Customizing the TCP Normalizer with a TCP Map
To customize the TCP normalizer, first define the settings using a TCP map.
Detailed Steps
Step 1 Choose the Configuration > Firewall > Objects > TCP Maps pane, and click Add.
The Add TCP Map dialog box appears.
Step 2 In the TCP Map Name field, enter a name.
Step 3 In the Queue Limit field, enter the maximum number of out-of-order packets, between 0 and 250 packets.
The Queue Limit sets the maximum number of out-of-order packets that can be buffered and put in order
for a TCP connection. The default is 0, which means this setting is disabled and the default system queue
limit is used depending on the type of traffic:
Connections for application inspection, IPS, and TCP check-retransmission have a queue limit of 3
packets. If the ASA receives a TCP packet with a different window size, then the queue limit is
dynamically changed to match the advertised setting.
For other TCP connections, out-of-order packets are passed through untouched.
If you set the Queue Limit to be 1 or above, then the number of out-of-order packets allowed for all TCP
traffic matches this setting. For example, for application inspection, IPS, and TCP check-retransmission
traffic, any advertised settings from TCP packets are ignored in favor of the Queue Limit setting. For
other TCP traffic, out-of-order packets are now buffered and put in order instead of passed through
untouched.
Step 4 In the Timeout field, set the maximum amount of time that out-of-order packets can remain in the buffer,
between 1 and 20 seconds.
If they are not put in order and passed on within the timeout period, then they are dropped. The default
is 4 seconds. You cannot change the timeout for any traffic if the Queue Limit is set to 0; you need to set
the limit to be 1 or above for the Timeout to take effect.
Step 5 In the Reserved Bits area, click Clear and allow, Allow only, or Drop.
Allow only allows packets with the reserved bits in the TCP header.