Cisco ASA 5505 Configuration Manual page 1053

Chapter 48 Configuring Connection Settings
Clear urgent flag—Clears the URG flag through the adaptive security appliance. The URG flag is used
•
to indicate that the packet contains information that is of higher priority than other data within the
stream. The TCP RFC is vague about the exact interpretation of the URG flag, therefore end systems
handle urgent offsets in different ways, which may make the end system vulnerable to attacks.
Drop connection on window variation—Drops a connection that has changed its window size
•
unexpectedly. The window size mechanism allows TCP to advertise a large window and to
subsequently advertise a much smaller window without having accepted too much data. From the
TCP specification, "shrinking the window" is strongly discouraged. When this condition is detected,
the connection can be dropped.
• Drop packets that exceed maximum segment size—Drops packets that exceed MSS set by peer.
• Check if transmitted data is the same as original—Enables the retransmit data checks.
Drop packets which have past-window sequence—Drops packets that have past-window sequence
•
numbers, namely the sequence number of a received TCP packet is greater than the right edge of the
TCP receiving window. If you do not check this option, then the Queue Limit must be set to 0
(disabled).
Drop SYN Packets with data—Drops SYN packets with data.
•
Enable TTL Evasion Protection—Enables the TTL evasion protection offered by the adaptive
•
security appliance. Do not enable this option if you want to prevent attacks that attempt to evade
security policy.
For example, an attacker can send a packet that passes policy with a very short TTL. When the TTL
•
goes to zero, a router between the adaptive security appliance and the endpoint drops the packet. It
is at this point that the attacker can send a malicious packet with a long TTL that appears to the
adaptive security appliance to be a retransmission and is passed. To the endpoint host, however, it is
the first packet that has been received by the attacker. In this case, an attacker is able to succeed
without security preventing the attack.
Verify TCP Checksum—Enables checksum verification.
•
Drop SYNACK Packets with data—Drops TCP SYNACK packets that contain data.
•
Drop packets with invalid ACK—Drops packets with an invalid ACK. You might see invalid ACKs
•
in the following instances:
–
–
Note
To set TCP options, check any of the following options:
Step 7
Clear Selective Ack—Sets whether the selective-ack TCP option is allowed or cleared.
•
Clear TCP Timestamp—Sets whether the TCP timestamp option is allowed or cleared.
•
Clear Window Scale—Sets whether the window scale timestamp option is allowed or cleared.
•
Range—Sets the valid TCP options ranges, which should fall within 6-7 and 9-255. The lower bound
•
should be less than or equal to the upper bound. Choose Allow or Drop for each range.
OL-20339-01
In the TCP connection SYN-ACK-received status, if the ACK number of a received TCP packet
is not exactly same as the sequence number of the next TCP packet sending out, it is an invalid
ACK.
Whenever the ACK number of a received TCP packet is greater than the sequence number of
the next TCP packet sending out, it is an invalid ACK.
TCP packets with an invalid ACK are automatically allowed for WAAS connections.
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring Connection Settings
48-7