Filter
Top Products
27-7
Cisco ASDM User Guide
OL-16647-01
Chapter 27 Configuring Advanced Firewall Protection
Configuring Connection Settings
VPN requires the ability to process the 3-way handshake packets to provide selective ACK and other
TCP options for Clientless SSL VPN connections. To disable TCP Intercept for management traffic, you
can set the embryonic connection limit; only after the embryonic connection limit is reached is TCP
Intercept enabled.
Dead Connection Detection Overview
Dead connection detection detects a dead connection and allows it to expire, without expiring
connections that can still handle traffic. You configure DCD when you want idle, but valid connections
to persist.
When you enable DCD, idle timeout behavior changes. With idle timeout, DCD probes are sent to each
of the two end-hosts to determine the validity of the connection. If an end-host fails to respond after
probes are sent at the configured intervals, the connection is freed, and reset values, if configured, are
sent to each of the end-hosts. If both end-hosts response that the connection is valid, the activity timeout
is updated to the current time and the idle timeout is rescheduled accordingly.
TCP Sequence Randomization Overview
Each TCP connection has two ISNs: one generated by the client and one generated by the server. The
security appliance randomizes the ISN of the TCP SYN passing in both the inbound and outbound
directions.
Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new
connection and potentially hijacking the new session.
TCP initial sequence number randomization can be disabled if required. For example:
• If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both
firewalls to be performing this action, even though this action does not affect the traffic.
• If you use eBGP multi-hop through the security appliance, and the eBGP peers are using MD5.
Randomization breaks the MD5 checksum.
• You use a WAAS device that requires the security appliance not to randomize the sequence numbers
of connections.
TCP Normalization Overview
The TCP normalizer includes non-configurable actions and configurable actions. Typically,
non-configurable actions that drop or clear connections apply to packets that are always bad.
Configurable actions (as detailed in “Enabling Connection Limits and TCP Normalization” section on
page 27-7) might need to be customized depending on your network needs.
See the following guidelines for TCP normalization:
• The normalizer does not protect from SYN floods. The security appliance includes SYN flood
protection in other ways.
• The normalizer always sees the SYN packet as the first packet in a flow unless the security appliance
is in loose mode due to failover.
Enabling Connection Limits and TCP Normalization
To configure connection limits and TCP normalization, perform the following steps: