Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Asdm 7 User Guide. The Cisco manuals for Computer Equipment are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 531

    Page 531 22-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Connection Settings Information About Connection Settings TCP Sequence Randomization Each TCP connection has two ISNs: one generated by the client and one generated by the server. The ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the... 
     
22-3
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 22      Configuring Connection Settings
  Information About Connection Settings
TCP Sequence Randomization
Each TCP connection has two ISNs: one generated by the client and one generated by the server. The 
ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.
Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new 
connection and potentially hijacking the...

    Page 532

    Page 532 22-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Connection Settings Licensing Requirements for Connection Settings fast path (an established connection), or the control plane path (advanced inspection). See the “Stateful Inspection Overview” section on page 1-24 in the general operations configuration guide for more detailed information about the stateful firewall. TCP packets that match existing connections in the fast path can pass through the ASA without... 
     
22-4
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 22      Configuring Connection Settings
  Licensing Requirements for Connection Settings
fast path (an established connection), or the control plane path (advanced inspection). See the “Stateful 
Inspection Overview” section on page 1-24 in the general operations configuration guide for more 
detailed information about the stateful firewall.
TCP packets that match existing connections in the fast path can pass through the ASA without...

    Page 533

    Page 533 22-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Connection Settings Guidelines and Limitations Guidelines and Limitations Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent mode. Failover Guidelines Failover is supported. TCP State Bypass Unsupported Features The following features are not supported when you use TCP state bypass: Application inspection—Application inspection requires... 
     
22-5
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 22      Configuring Connection Settings
  Guidelines and Limitations
Guidelines and Limitations
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent mode.
Failover Guidelines
Failover is supported.
TCP State Bypass Unsupported Features
The following features are not supported when you use TCP state bypass:
Application inspection—Application inspection requires...

    Page 534

    Page 534 22-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Connection Settings Configuring Connection Settings Configuring Connection Settings This section includes the following topics: Customizing the TCP Normalizer with a TCP Map, page 22-6 Configuring Connection Settings, page 22-8 Configuring Global Timeouts, page 22-9 Task Flow For Configuring Connection Settings Step 1For TCP normalization customization, create a TCP map according to the “Customizing the TCP... 
     
22-6
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 22      Configuring Connection Settings
  Configuring Connection Settings
Configuring Connection Settings
This section includes the following topics:
Customizing the TCP Normalizer with a TCP Map, page 22-6
Configuring Connection Settings, page 22-8
Configuring Global Timeouts, page 22-9
Task Flow For Configuring Connection Settings
Step 1For TCP normalization customization, create a TCP map according to the “Customizing the TCP...

    Page 535

    Page 535 22-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Connection Settings Configuring Connection Settings If they are not put in order and passed on within the timeout period, then they are dropped. The default is 4 seconds. You cannot change the timeout for any traffic if the Queue Limit is set to 0; you need to set the limit to be 1 or above for the Timeout to take effect. Step 5In the Reserved Bits area, click Clear and allow, Allow only, or Drop. Allow only... 
     
22-7
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 22      Configuring Connection Settings
  Configuring Connection Settings
If they are not put in order and passed on within the timeout period, then they are dropped. The default 
is 4 seconds. You cannot change the timeout for any traffic if the Queue Limit is set to 0; you need to set 
the limit to be 1 or above for the Timeout to take effect.
Step 5In the Reserved Bits area, click Clear and allow, Allow only, or Drop.
Allow only...

    Page 536

    Page 536 22-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Connection Settings Configuring Connection Settings Clear Selective Ack—Sets whether the selective-ack TCP option is allowed or cleared. Clear TCP Timestamp—Sets whether the TCP timestamp option is allowed or cleared. Clear Window Scale—Sets whether the window scale timestamp option is allowed or cleared. Range—Sets the valid TCP options ranges, which should fall within 6-7 and 9-255. The lower bound should be less... 
     
22-8
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 22      Configuring Connection Settings
  Configuring Connection Settings
Clear Selective Ack—Sets whether the selective-ack TCP option is allowed or cleared.
Clear TCP Timestamp—Sets whether the TCP timestamp option is allowed or cleared.
Clear Window Scale—Sets whether the window scale timestamp option is allowed or cleared.
Range—Sets the valid TCP options ranges, which should fall within 6-7 and 9-255. The lower bound 
should be less...

    Page 537

    Page 537 22-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Connection Settings Configuring Connection Settings Send reset to TCP endpoints before timeout—Specifies that the ASA should send a TCP reset message to the endpoints of the connection before freeing the connection slot. Embryonic Connection Timeout—Specifies the idle time until an embryonic (half-open) connection slot is freed. Enter 0:0:0 to disable timeout for the connection. The default is 30 seconds. Half... 
     
22-9
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 22      Configuring Connection Settings
  Configuring Connection Settings
Send reset to TCP endpoints before timeout—Specifies that the ASA should send a TCP reset 
message to the endpoints of the connection before freeing the connection slot.
Embryonic Connection Timeout—Specifies the idle time until an embryonic (half-open) connection 
slot is freed. Enter 0:0:0 to disable timeout for the connection. The default is 30 seconds.
Half...

    Page 538

    Page 538 22-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Connection Settings Configuring Connection Settings UDP—Modifies the idle time until a UDP protocol connection closes. This duration must be at least 1 minute. The default is 2 minutes. Enter 0:0:0 to disable timeout. ICMP—Modifies the idle time after which general ICMP states are closed. H.323—Modifies the idle time until an H.323 media connection closes. The default is 5 minutes. Enter 0:0:0 to disable... 
     
22-10
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 22      Configuring Connection Settings
  Configuring Connection Settings
UDP—Modifies the idle time until a UDP protocol connection closes. This duration must be at least 
1 minute. The default is 2 minutes. Enter 0:0:0 to disable timeout. 
ICMP—Modifies the idle time after which general ICMP states are closed.
H.323—Modifies the idle time until an H.323 media connection closes. The default is 5 minutes. 
Enter 0:0:0 to disable...

    Page 539

    Page 539 22-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Connection Settings Feature History for Connection Settings NoteWhen Authentication Absolute = 0, HTTPS authentication may not work. If a browser initiates multiple TCP connections to load a web page after HTTPS authentication, the first connection is permitted through, but subsequent connections trigger authentication. As a result, users are continuously presented with an authentication page, even after... 
     
22-11
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 22      Configuring Connection Settings
  Feature History for Connection Settings
NoteWhen Authentication Absolute = 0, HTTPS authentication may not work. If a browser initiates 
multiple TCP connections to load a web page after HTTPS authentication, the first connection 
is permitted through, but subsequent connections trigger authentication. As a result, users are 
continuously presented with an authentication page, even after...

    Page 540

    Page 540 22-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 22 Configuring Connection Settings Feature History for Connection Settings Configurable timeout for PAT xlate 8.4(3) When a PAT xlate times out (by default after 30 seconds), and the ASA reuses the port for a new translation, some upstream routers might reject the new connection because the previous connection might still be open on the upstream device. The PAT xlate timeout is now configurable, to a value between 30 seconds... 
     
22-12
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 22      Configuring Connection Settings
  Feature History for Connection Settings
Configurable timeout for PAT xlate 8.4(3) When a PAT xlate times out (by default after 30 seconds), 
and the ASA reuses the port for a new translation, some 
upstream routers might reject the new connection because 
the previous connection might still be open on the upstream 
device. The PAT xlate timeout is now configurable, to a 
value between 30 seconds...
    Start reading Cisco Asdm 7 User Guide
    All Cisco manuals