Configure Connection Settings - Cisco ASA Series Configuration Manual

Configure Connection Settings

•
•
•
Configure Connection Settings
Connection limits, timeouts, TCP Normalization, TCP sequence randomization, and decrementing
time-to-live (TTL) have default values that are appropriate for most networks. You need to configure
these connection settings only if you have unusual requirements, your network has specific types of
configuration, or if you are experiencing unusual connection loss due to premature idle timeouts.
TCP Intercept, TCP State Bypass, and Dead Connection Detection (DCD) are not enabled. You would
configure these services on specific traffic classes only, and not as a general service.
The following general procedure covers the gamut of possible connection setting configurations. Pick
and choose which to implement based on your needs.
Procedure
Configure Global Timeouts, page
Step 1
protocols for all traffic that passes through the device. If you are having problems with connections being
reset due to premature timeouts, first try changing the global timeouts.
Protect Servers from a SYN Flood DoS Attack (TCP Intercept), page
Step 2
configure TCP Intercept.
Customize Abnormal TCP Packet Handling (TCP Maps, TCP Normalizer), page
Step 3
alter the default TCP Normalization behavior for specific traffic classes.
Bypass TCP State Checks for Asynchronous Routing (TCP State Bypass), page
Step 4
type of routing environment.
Disable TCP Sequence Randomization, page
Step 5
certain connections.
Step 6 Configure Connection Settings for Specific Traffic Classes (All Services), page
procedure for connection settings. These settings can override the global defaults for specific traffic
classes using service policy rules. You also use these rules to customize TCP Normalizer, change TCP
sequence randomization, decrement time-to-live on packets, and implement TCP Intercept, Dead
Connection Detection, or TCP State Bypass.
Cisco ASA Series Firewall CLI Configuration Guide
16-2
TCP sequence randomization—Each TCP connection has two ISNs: one generated by the client
and one generated by the server. By default, the ASA randomizes the ISN of the TCP SYN passing
in both the inbound and outbound directions. Randomization prevents an attacker from predicting
the next ISN for a new connection and potentially hijacking the new session. You can disable
randomization per traffic class if desired.
TCP Normalization—The TCP Normalizer protects against abnormal packets. You can configure
how some types of packet abnormalities are handled by traffic class.
TCP State Bypass—You can bypass TCP state checking if you use asymmetrical routing in your
network.
16-3. These settings change the default idle timeouts for various
16-13, if the default randomization is scrambling data for
Chapter 16 Connection Settings
16-4. Use this procedure to
16-7, if you want to
16-10, if you have this
16-14. This is a catch-all