Customize Abnormal Tcp Packet Handling (Tcp Maps, Tcp Normalizer) - Cisco ASA Series Configuration Manual

Chapter 16 Connection Settings

Customize Abnormal TCP Packet Handling (TCP Maps, TCP Normalizer)

The TCP Normalizer identifies abnormal packets that the ASA can act on when they are detected; for
example, the ASA can allow, drop, or clear the packets. TCP normalization helps protect the ASA from
attacks. TCP normalization is always enabled, but you can customize how some features behave.
The default configuration includes the following settings:
no check-retransmission
no checksum-verification
exceed-mss allow
queue-limit 0 timeout 4
reserved-bits allow
syn-data allow
synack-data drop
invalid-ack drop
seq-past-window drop
tcp-options range 6 7 clear
tcp-options range 9 255 clear
tcp-options selective-ack allow
tcp-options timestamp allow
tcp-options window-scale allow
ttl-evasion-protection
urgent-flag clear
window-variation allow-connection
To customize the TCP normalizer, first define the settings using a TCP map. Then, you can apply the
map to selected traffic classes using service policies.
Procedure
Create a TCP map to specify the TCP normalization criteria that you want to look for.
Step 1
hostname(config)# tcp-map tcp-map-name
Step 2 Configure the TCP map criteria by entering one or more of the following commands. The defaults are
used for any commands you do not enter. Use the no form of a command to disable the setting.
•
•
•
•
check-retransmission—Prevent inconsistent TCP retransmissions. This command is disabled by
default.
checksum-verification—Verify the TCP checksum, dropping packets that fail verification. This
command is disabled by default.
exceed-mss {allow | drop}—Allow or drop packets whose data length exceeds the TCP maximum
segment size. The default is to allow the packets.
invalid-ack {allow | drop}—Allow or drop packets with an invalid ACK. The default is to drop the
packet, with the exception of WAAS connections, where they are allowed. You might see invalid
ACKs in the following instances:
In the TCP connection SYN-ACK-received status, if the ACK number of a received TCP packet
–
is not exactly the same as the sequence number of the next TCP packet sending out, it is an
invalid ACK.
– Whenever the ACK number of a received TCP packet is greater than the sequence number of
the next TCP packet sending out, it is an invalid ACK.
Configure Connection Settings
Cisco ASA Series Firewall CLI Configuration Guide
16-7