Cisco ASA 5505 User Manual

Page 1137

Advertising
background image

53-9

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 53 Configuring Connection Settings

Configuring Connection Settings

synack-data {allow | drop}

Sets the action for TCP SYNACK packets that contain data.

The allow keyword allows TCP SYNACK packets that contain
data.

(Default) The drop keyword drops TCP SYNACK packets that
contain data.

syn-data {allow | drop}

Sets the action for SYN packets with data.

(Default) The allow keyword allows SYN packets with data.

The drop keyword drops SYN packets with data.

tcp-options {selective-ack |
timestamp | window-scale}
{allow | clear}

Or

tcp-options range lower upper
{allow | clear | drop}

Sets the action for packets with TCP options, including the
selective-ack, timestamp, or window-scale TCP options.

(Default) The allow keyword allows packets with the specified
option.

(Default for range) The clear keyword clears the option and
allows the packet.

The drop keyword drops the packet with the specified option.

The selective-ack keyword sets the action for the SACK option.

The timestamp keyword sets the action for the timestamp option.
Clearing the timestamp option disables PAWS and RTT.

The widow-scale keyword sets the action for the window scale
mechanism option.

The range keyword specifies a range of options. The lower
argument sets the lower end of the range as 6, 7, or 9 through 255.

The upper argument sets the upper end of the range as 6, 7, or 9
through 255.

ttl-evasion-protection

Enables the TTL evasion protection. Do not disable this command
it you want to prevent attacks that attempt to evade security policy.

For example, an attacker can send a packet that passes policy with
a very short TTL. When the TTL goes to zero, a router between the
ASA and the endpoint drops the packet. It is at this point that the
attacker can send a malicious packet with a long TTL that appears
to the ASA to be a retransmission and is passed. To the endpoint
host, however, it is the first packet that has been received by the
attacker. In this case, an attacker is able to succeed without
security preventing the attack.

Table 53-1

tcp-map Commands (continued)

Command

Notes

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals