53-3
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter53 Configuring Connection Settings
Information About Connection Settings
TCP Sequence Randomization
Each TCP connection has two ISNs: one generated by the client and one generated by the server. The
ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.
Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new
connection and potentially hijacking the new session.
TCP initial sequence number randomization can be disabled if required. For example:
If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both
firewalls to be performing this action, even though this action does not affect the traffic.
If you use eBGP multi-hop through the ASA, and the eBGP peers are using MD5. Randomization
breaks the MD5 checksum.
You use a WAAS device that requires the ASA not to randomize the sequence numbers of
connections.
TCP Normalization
The TCP normalization feature identifies abnormal packets that the ASA can act on when they are
detected; for example, the ASA can allow, drop, or clear the packets. TCP normalization helps protect
the ASA from attacks. TCP normalization is always enabled, but you can customize how some features
behave.
The TCP normalizer includes non-configurable actions and configurable actions. Typically,
non-configurable actions that drop or clear connections apply to packets that are always bad.
Configurable actions (as detailed in “Customizing the TCP Normalizer with a TCP Map” section on
page 53-6) might need to be customized depending on your network needs.
See the following guidelines for TCP normalization:
The normalizer does not protect from SYN floods. The ASA includes SYN flood protection in other
ways.
The normalizer always sees the SYN packet as the first packet in a flow unless the ASA is in loose
mode due to failover.
TCP State Bypass
By default, all traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and
is either allowed through or dropped based on the security policy. The ASA maximizes the firewall
performance by checking the state of each packet (is this a new connection or an established