Configuring Global Nat Hairpinning - Nortel Secure 4134 Configuration

Variable
Configuring global NAT hairpinning
If you enable hairpinng, you disable self-IP connections. If you disable
hairpinning, self-IP connections are allowed.
Procedure steps
Step
1
2
3
Copyright © 2007, Nortel Networks
.
Value
tcp-seq-number- Enable/disables TCP sequence number check.
predict Prevents attempts to predict IP sequence numbers. If an
attacker can predict the initial sequence number in the
TCP (Transport Control Protocol) handshake, the attacker
may be able to hijack the TCP session. This option
randomizes the TCP ISNs (Initial Sequence Number)
going through the firewall.
By default, this option is disabled.
tcp-seq-number-r Enables/disables TCP sequence number range.
ange <20000—2 An attacker can attempt to replay a captured packet
147483647> through the firewall by brut-force and thus consume the
bandwidth as well as the resources of the target CPU.
With this check turned on, the firewall allows only those
packets that have sequence numbers in a configured
range from the last acknowledgement seen on the
connection. The range can be configured with value
between 20000 and 2147483647. By default, this option
is disabled.
win-nuke Enables/disables Win-nuke check.
The Win-nuke attack sends out-of-band data to an IP
address of a Windows machine connected to a network
and/or Internet.
By default, this option is disabled.
Action
To enter configuration mode, enter:
configure terminal
To specify global firewall configuration, enter:
firewall global
To enable or disable hairpinning, enter:
[no] hairpinning-SelfIp
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600 01.02 Standard
10.0 3 August 2007
Configuring global properties 83
—End—