Cisco ASA 5506-X Configuration Manual page 269
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Chapter 11
Connection Settings
Examples
The following is a sample configuration for TCP state bypass:
hostname(config)# access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.224 any
hostname(config)# class-map tcp_bypass
hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"
hostname(config-cmap)# match access-list tcp_bypass
hostname(config-cmap)# policy-map tcp_bypass_policy
hostname(config-pmap)# class tcp_bypass
hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass
hostname(config-pmap-c)# service-policy tcp_bypass_policy outside
Disable TCP Sequence Randomization
Each TCP connection has two ISNs: one generated by the client and one generated by the server. The
ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.
Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new
connection and potentially hijacking the new session.
You can disable TCP initial sequence number randomization if necessary, for example, because data is
getting scrambled. For example:
•
•
•
Procedure
Create an L3/L4 class map to identify the traffic whose TCP sequence numbers should not be
Step 1
randomized. The class match should be for TCP traffic; you can identify specific hosts (with an ACL)
do a TCP port match, or simply match any traffic.
class-map name
match parameter
Example:
hostname(config)# access-list preserve-sq-no extended permit tcp any host 10.2.2.2
hostname(config)# class-map no-tcp-random
hostname(config-cmap)# match access-list preserve-sq-no
Add or edit a policy map that sets the actions to take with the class map traffic, and identify the class
Step 2
map.
policy-map name
class name
Example:
hostname(config)# policy-map global_policy
hostname(config-pmap)# class preserve-sq-no
If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both
firewalls to be performing this action, even though this action does not affect the traffic.
If you use eBGP multi-hop through the ASA, and the eBGP peers are using MD5. Randomization
breaks the MD5 checksum.
You use a WAAS device that requires the ASA not to randomize the sequence numbers of
connections.
Configure Connection Settings
Cisco ASA Series Firewall CLI Configuration Guide
11-13
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
