53-9
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter53 Configuring Connection Settings
Configuring Connection Settings
synack-data {allow | drop} Sets the action for TCP SYNACK packets that contain data.
The allow keyword allows TCP SYNACK packets that contain
data.
(Default) The drop keyword drops TCP SYNACK packets that
contain data.
syn-data {allow | drop} Sets the action for SYN packets with data.
(Default) The allow keyword allows SYN packets with data.
The drop keyword drops SYN packets with data.
tcp-options {selective-ack |
timestamp | window-scale}
{allow | clear}
Or
tcp-options range lower upper
{allow | clear | drop}
Sets the action for packets with TCP options, including the
selective-ack, timestamp, or window-scale TCP options.
(Default) The allow keyword allows packets with the specified
option.
(Default for range) The clear keyword clears the option and
allows the packet.
The drop keyword drops the packet with the specified option.
The selective-ack keyword sets the action for the SACK option.
The timestamp keyword sets the action for the timestamp option.
Clearing the timestamp option disables PAWS and RTT.
The widow-scale keyword sets the action for the window scale
mechanism option.
The range keyword specifies a range of options. The lower
argument sets the lower end of the range as 6, 7, or 9 through 255.
The upper argument sets the upper end of the range as 6, 7, or 9
through 255.
ttl-evasion-protection Enables the TTL evasion protection. Do not disable this command
it you want to prevent attacks that attempt to evade security policy.
For example, an attacker can send a packet that passes policy with
a very short TTL. When the TTL goes to zero, a router between the
ASA and the endpoint drops the packet. It is at this point that the
attacker can send a malicious packet with a long TTL that appears
to the ASA to be a retransmission and is passed. To the endpoint
host, however, it is the first packet that has been received by the
attacker. In this case, an attacker is able to succeed without
security preventing the attack.
Table53-1 tcp-map Commands (continued)
Command Notes