Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Task Flow For Configuring Configuration Settings (Except Global Timeouts), Customizing the TCP Normalizer with a TCP Map

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter57 Configuring Connection Settings

Configuring Connection Settings

•Customizing the TCP Normalizer with a TCP Map, page57-6

•Configuring Connection Settings, page57-8

•Configuring Global Timeouts, page57-9

Task Flow For Configuring Configuration Settings (Except Global Timeouts)

Step1 For TCP normalization customization, create a TCP map according to the “Customizing the TCP

Normalizer with a TCP Map” section on page 57-6.

Step2 For all connection settings except for global timeouts, configure a service policy according to

Chapter 36, “Configuring a Service Policy.”

Step3 Configure connection settings according to the “Configuring Connection Settings” section on page57-8.

Customizing the TCP Normalizer with a TCP Map

To customize the TCP normalizer, first define the settings using a TCP map.

Detailed Steps

Step1 Choose the Configuration > Firewall > Objects > TCP Maps pane, and click Add.

The Add TCP Map dialog box appears.

Step2 In the TCP Map Name field, enter a name.

Step3 In the Queue Limit field, enter the maximum number of out-of-order packets, between 0 and 250 packets.

The Queue Limit sets the maximum number of out-of-order packets that can be buffered and put in order

for a TCP connection. The default is 0, which means this setting is disabled and the default system queue

limit is used depending on the type of traffic:

•Connections for application inspection, IPS, and TCP check-retransmission have a queue limit of 3

packets. If the ASA receives a TCP packet with a different window size, then the queue limit is

dynamically changed to match the advertised setting.

•For other TCP connections, out-of-order packets are passed through untouched.

If you set the Queue Limit to be 1 or above, then the number of out-of-order packets allowed for all TCP

traffic matches this setting. For example, for application inspection, IPS, and TCP check-retransmission

traffic, any advertised settings from TCP packets are ignored in favor of the Queue Limit setting. For

other TCP traffic, out-of-order packets are now buffered and put in order instead of passed through

Step4 In the Timeout field, set the maximum amount of time that out-of-order packets can remain in the buffer,

between 1 and 20 seconds.

If they are not put in order and passed on within the timeout period, then they are dropped. The default

is 4 seconds. You cannot change the timeout for any traffic if the Queue Limit is set to 0; you need to set

the limit to be 1 or above for the Timeout to take effect.

Step5 In the Reserved Bits area, click Clear and allow, Allow only, or Drop.

Allow only allows packets with the reserved bits in the TCP header.

Contents

Cisco Systems Task Flow For Configuring Configuration Settings (Except Global Timeouts), Customizing the TCP Normalizer with a TCP Map