Configuring Connection Limits And Timeouts; Connection Limit Overview; Tcp Intercept Overview; Disabling Tcp Intercept For Management Packets For Webvpn Compatibility - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Configuring Connection Limits and Timeouts
Configuring Connection Limits and Timeouts
This section describes how to set maximum TCP and UDP connections, maximum embryonic
connections, maximum per-client connections, connection timeouts, dead connection detection, and how
to disable TCP sequence randomization. You can set limits for connections that go through the security
appliance, or for management connections to the security appliance. This section contains the following
topics:
•
•
You can also configure maximum connections, maximum embryonic connections, and TCP sequence
Note
randomization in the NAT configuration. If you configure these settings for the same traffic using both
methods, then the security appliance uses the lower limit. For TCP sequence randomization, if it is
disabled using either method, then the security appliance disables TCP sequence randomization.
Connection Limit Overview
This section describes why you might want to limit connections, and includes the following topics:
•
•
•
•
TCP Intercept Overview
Limiting the number of embryonic connections protects you from a DoS attack. The security appliance
uses the per-client limits and the embryonic connection limit to trigger TCP Intercept, which protects
inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An
embryonic connection is a connection request that has not finished the necessary handshake between
source and destination. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding
attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP
addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from
servicing connection requests. When the embryonic connection threshold of a connection is crossed, the
security appliance acts as a proxy for the server and generates a SYN-ACK response to the client SYN
request. When the security appliance receives an ACK back from the client, it can then authenticate the
client and allow the connection to the server.
Disabling TCP Intercept for Management Packets for WebVPN Compatibility
By default, TCP management connections have TCP Intercept always enabled. When TCP Intercept is
enabled, it intercepts the 3-way TCP connection establishment handshake packets and thus deprives the
security appliance from processing the packets for WebVPN. WebVPN requires the ability to process the
3-way handshake packets to provide selective ACK and other TCP options for WebVPN connections. To
disable TCP Intercept for management traffic, you can set the embryonic connection limit; only after the
embryonic connection limit is reached is TCP Intercept enabled.
Cisco Security Appliance Command Line Configuration Guide
23-14
Connection Limit Overview, page 23-14
Enabling Connection Limits, page 23-15
TCP Intercept Overview, page 23-14
Disabling TCP Intercept for Management Packets for WebVPN Compatibility, page 23-14
Dead Connection Detection Overview, page 23-15
TCP Sequence Randomization Overview, page 23-15
Chapter 23
Preventing Network Attacks
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
