Cisco ASA 5505 Configuration Manual page 1052

Asa 5500 series

Hide thumbs Also See for ASA 5505:

Getting started manual (168 pages)

Administrator's manual (118 pages)

Hardware installation manual (82 pages)

Table of Contents

Configuring Connection Settings

Task Flow For Configuring Configuration Settings (Except Global Timeouts)

For TCP normalization customization, create a TCP map according to the

Normalizer with a TCP Map" section on page

For all connection settings except for global timeouts, configure a service policy according to

Chapter 29, "Configuring a Service Policy."

Configure connection settings according to the

Customizing the TCP Normalizer with a TCP Map

To customize the TCP normalizer, first define the settings using a TCP map.

Detailed Steps

Choose the Configuration > Firewall > Objects > TCP Maps pane, and click Add.

The Add TCP Map dialog box appears.

In the TCP Map Name field, enter a name.

In the Queue Limit field, enter the maximum number of out-of-order packets, between 0 and 250 packets.

The Queue Limit sets the maximum number of out-of-order packets that can be buffered and put in order

for a TCP connection. The default is 0, which means this setting is disabled and the default system queue

limit is used depending on the type of traffic:

If you set the Queue Limit command to be 1 or above, then the number of out-of-order packets allowed

for all TCP traffic matches this setting. For application inspection, IPS, and TCP check-retransmission

traffic, any advertised settings are ignored. For other TCP traffic, out-of-order packets are now buffered

and put in order instead of passed through untouched.

In the Timeout field, set the maximum amount of time that out-of-order packets can remain in the buffer,

between 1 and 20 seconds.

If they are not put in order and passed on within the timeout period, then they are dropped. The default

is 4 seconds. You cannot change the timeout for any traffic if the Queue Limit is set to 0; you need to set

the limit to be 1 or above for the Timeout to take effect.

In the Reserved Bits area, click Clear and allow, Allow only, or Drop.

Allow only allows packets with the reserved bits in the TCP header.

Clear and allow clears the reserved bits in the TCP header and allows the packet.

Drop drops the packet with the reserved bits in the TCP header.

Check any of the following options:

Cisco ASA 5500 Series Configuration Guide using ASDM

Configuring Global Timeouts, page 48-9

Connections for application inspection, IPS, and TCP check-retransmission have a queue limit of 3

packets. If the adaptive security appliance receives a TCP packet with a different window size, then

the queue limit is dynamically changed to match the advertised setting.

For other TCP connections, out-of-order packets are passed through untouched.

"Configuring Connection Settings" section on page

Configuring Connection Settings

"Customizing the TCP

Show Quick Links

Chapters

Table of Contents

Asa 5510 Asa 5540 Asa 5520 Asa 5550 Asa 5580

Cisco ASA 5505 Configuration Manual page 1052

Hide quick links:

Chapters

Related Manuals for Cisco ASA 5505

Related Products for Cisco ASA 5505

This manual is also suitable for:

Table of Contents