Cisco ASA Series Configuration Manual page 388

Configure Connection Settings
queue-limit pkt_num [timeout seconds]—Set the maximum number of out-of-order packets that
•
can be buffered and put in order for a TCP connection, between 1 and 250 packets. The default is 0,
which means this setting is disabled and the default system queue limit is used depending on the
type of traffic:
–
–
If you set the queue-limit command to be 1 or above, then the number of out-of-order packets
allowed for all TCP traffic matches this setting. For example, for application inspection, IPS, and
TCP check-retransmission traffic, any advertised settings from TCP packets are ignored in favor of
the queue-limit setting. For other TCP traffic, out-of-order packets are now buffered and put in
order instead of passed through untouched.
The timeout seconds argument sets the maximum amount of time that out-of-order packets can
remain in the buffer, between 1 and 20 seconds; if they are not put in order and passed on within the
timeout period, then they are dropped. The default is 4 seconds. You cannot change the timeout for
any traffic if the pkt_num argument is set to 0; you need to set the limit to be 1 or above for the
timeout keyword to take effect.
• reserved-bits {allow | clear | drop}—Set the action for reserved bits in the TCP header. You can
allow the packet (without changing the bits), clear the bits and allow the packet, or drop the packet.
seq-past-window {allow | drop}—Set the action for packets that have past-window sequence
•
numbers, namely the sequence number of a received TCP packet is greater than the right edge of the
TCP receiving window. You can allow the packets only if the queue-limit command is set to 0
(disabled). The default is to drop the packets.
synack-data {allow | drop}—Allow or drop TCP SYNACK packets that contain data. The default
•
is to drop the packet.
syn-data {allow | drop}—Allow or drop SYN packets with data. The default is to allow the packet.
•
tcp-options {selective-ack | timestamp | window-scale | range lower upper} {allow | clear}—Set
•
the action for packets with TCP options. Three options are named: selective-ack (selective
acknowledgment mechanism), timestamp, and window-scale (window scale mechanism). For other
options, you specify them by number on the range keyword, where the range limits are 6-7, 9-255.
You can enter the command multiple times in a map to define your complete policy.
You can allow the packet (without changing the options), clear the options and allow the packet, or
drop the packet. The default for the three named options is to allow them; the default for all other
options is to clear them. Note that clearing the timestamp option disables PAWS and RTT.
ttl-evasion-protection—Protect against TTL evasion attacks. TTL evasion protection is enabled by
•
default, so you would only need to enter the no form of this command.
For example, an attacker can send a packet that passes policy with a very short TTL. When the TTL
goes to zero, a router between the ASA and the endpoint drops the packet. It is at this point that the
attacker can send a malicious packet with a long TTL that appears to the ASA to be a retransmission
and is passed. To the endpoint host, however, it is the first packet that has been received by the
attacker. In this case, an attacker is able to succeed without security preventing the attack.
urgent-flag {allow | clear}—Set the action for packets with the URG flag. You can allow the
•
packet, or clear the flag and allow the packet. The default is to clear the flag.
Cisco ASA Series Firewall CLI Configuration Guide
16-8
Connections for application inspection (the inspect command), IPS (the ips command), and
TCP check-retransmission (the TCP map check-retransmission command) have a queue limit
of 3 packets. If the ASA receives a TCP packet with a different window size, then the queue
limit is dynamically changed to match the advertised setting.
For other TCP connections, out-of-order packets are passed through untouched.
Chapter 16 Connection Settings