Filter
Top Products
21-29
Cisco ASDM User Guide
OL-16647-01
Chapter 21 Configuring NAT
Using Static NAT
Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a
new connection and potentially hijacking the new session.
TCP initial sequence number randomization can be disabled if required. For example:
–
If another in-line firewall is also randomizing the initial sequence numbers, there is no need for
both firewalls to be performing this action, even though this action does not affect the traffic.
–
If you use eBGP multi-hop through the security appliance, and the eBGP peers are using MD5.
Randomization breaks the MD5 checksum.
–
You use a WAAS device that requires the security appliance not to randomize the sequence
numbers of connections.
• Maximum TCP Connections—Specifies the maximum number of TCP connections, between 0 and
65,535. If this value is set to 0, the number of connections is unlimited.
• Maximum UDP Connections—Specifies the maximum number of UDP connections, between 0
and 65,535. If this value is set to 0, the number of connections is unlimited.
• Maximum Embryonic Connections—Specifies the maximum number of embryonic connections
per host up to 65,536. An embryonic connection is a connection request that has not finished the
necessary handshake between source and destination. This limit enables the TCP Intercept feature.
The default is 0, which means the maximum embryonic connections. TCP Intercept protects inside
systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the
embryonic limit has been surpassed, the TCP intercept feature intercepts TCP SYN packets from
clients to servers on a higher security level. SYN cookies are used during the validation process and
help to minimize the amount of valid traffic being dropped. Thus, connection attempts from
unreachable hosts will never reach the server.
Step 9 Click OK.