Filter
Top Products
21-26
Cisco ASDM User Guide
OL-16647-01
Chapter 21 Configuring NAT
Using Static NAT
Note You can also set these values using a security policy rule (see the “Configuring Connection
Settings” section on page 27-6). If you set them in both places, then the security appliance uses
the lower limit. For TCP sequence randomization, if it is disabled using either method, then the
security appliance disables TCP sequence randomization.
• Randomize sequence number—With this check box checked (the default), the security appliance
randomizes the sequence number of TCP packets. Each TCP connection has two ISNs: one
generated by the client and one generated by the server. The security appliance randomizes the ISN
of the TCP SYN passing in both the inbound and outbound directions.
Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a
new connection and potentially hijacking the new session.
TCP initial sequence number randomization can be disabled if required. For example:
–
If another in-line firewall is also randomizing the initial sequence numbers, there is no need for
both firewalls to be performing this action, even though this action does not affect the traffic.
–
If you use eBGP multi-hop through the security appliance, and the eBGP peers are using MD5.
Randomization breaks the MD5 checksum.
–
You use a WAAS device that requires the security appliance not to randomize the sequence
numbers of connections.
• Maximum TCP Connections—Specifies the maximum number of TCP connections, between 0 and
65,535. If this value is set to 0, the number of connections is unlimited.
• Maximum UDP Connections—Specifies the maximum number of UDP connections, between 0
and 65,535. If this value is set to 0, the number of connections is unlimited.
• Maximum Embryonic Connections—Specifies the maximum number of embryonic connections
per host up to 65,536. An embryonic connection is a connection request that has not finished the
necessary handshake between source and destination. This limit enables the TCP Intercept feature.
The default is 0, which means the maximum embryonic connections. TCP Intercept protects inside
systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the
embryonic limit has been surpassed, the TCP intercept feature intercepts TCP SYN packets from
clients to servers on a higher security level. SYN cookies are used during the validation process and
help to minimize the amount of valid traffic being dropped. Thus, connection attempts from
unreachable hosts will never reach the server.
Step 9 Click OK.
Using Static NAT
This section describes how to configure a static translation, using regular or policy static NAT, PAT, or
identity NAT.
For more information about static NAT, see the “Static NAT” section on page 21-8.