Cisco Systems ASA Services Module Webcam User Manual


 
6-25
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 6 Configuring NAT (ASA 8.2 and Earlier)
Using Dynamic NAT
TCP initial sequence number randomization can be disabled if required. For example:
If another in-line firewall is also randomizing the initial sequence numbers, there is no need for
both firewalls to be performing this action, even though this action does not affect the traffic.
If you use eBGP multi-hop through the ASA, and the eBGP peers are using MD5.
Randomization breaks the MD5 checksum.
You use a WAAS device that requires the ASA not to randomize the sequence numbers of
connections.
Maximum TCP Connections—Specifies the maximum number of TCP connections, between 0 and
65,535. If this value is set to 0, the number of connections is unlimited.
Maximum UDP Connections—Specifies the maximum number of UDP connections, between 0
and 65,535. If this value is set to 0, the number of connections is unlimited.
Maximum Embryonic Connections—Specifies the maximum number of embryonic connections
per host up to 65,536. An embryonic connection is a connection request that has not finished the
necessary handshake between source and destination. This limit enables the TCP Intercept feature.
The default is 0, which means the maximum embryonic connections. TCP Intercept protects inside
systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the
embryonic limit has been surpassed, the TCP intercept feature intercepts TCP SYN packets from
clients to servers on a higher security level. SYN cookies are used during the validation process and
help to minimize the amount of valid traffic being dropped. Thus, connection attempts from
unreachable hosts will never reach the server.
Step 7 Click OK.
Configuring Dynamic Policy NAT or PAT
Figure 6-20 shows typical dynamic policy NAT and PAT scenarios. Only real hosts can initiate
connections.
Figure 6-20 Dynamic Policy NAT Scenarios
To configure dynamic policy NAT or PAT, perform the following steps:
Step 1 In the Configuration > Firewall > NAT Rules pane, choose Add > Advanced > Add Dynamic Policy
NAT Rule.
The Add Dynamic Policy NAT Rule dialog box appears.
10.1.1.1 209.165.201.1
Inside Outside
10.1.1.2 209.165.201.2
Security
Appliance
10.1.1.1:1025 209.165.201.1:2020
Inside Outside
10.1.1.1:1026 209.165.201.1:2021
10.1.1.2:1025 209.165.201.1:2022
Security
Appliance
Dynamic Policy NAT
Dynamic Policy PAT
191659