57-7
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter57 Configuring Connection Settings
Configuring Connection Settings
Clear and allow clears the reserved bits in the TCP header and allows the packet.
Drop drops the packet with the reserved bits in the TCP header.
Step6 Check any of the following options:
Clear urgent fla g—Clears the URG flag through the ASA. The URG flag is used to indicate that t he
packet contains information that is of higher priority than other data within the stream. The TCP
RFC is vague about the exact interpretation of the URG flag, therefore end systems handle urgent
offsets in different ways, which may make the end system vulnerable to attacks.
Drop connect ion on window variation—Drops a connection that has changed its window size
unexpectedly. The window size mechanism allows TCP to advertise a large window and to
subsequently advertise a much smaller window without having accepted too much data. From the
TCP specification, “shrinking the window” is strongly discouraged. When this condition is detected,
the connection can be dropped.
Drop packets tha t exceed maximum segment size—Drops packets that exceed MSS set by peer.
Check if transmitted data is the same as original—Enables the retransmit data checks.
Drop packets which have past-window sequence—Drops packets that have past-window sequence
numbers, namely the sequence number of a received TCP packet is greater than the right edge of the
TCP receiving window. If you do not check this option, then the Queue Limit must be set to 0
(disabled).
Drop SYN Packets with data—Drops SYN packets with data.
Enable TTL Evasion Protection—Enables the TTL evasion protection offered by the ASA. Do not
enable this option if you want to prevent attacks that attempt to evade security policy.
For example, an attacker can send a packet that passes policy with a very short TTL. When the TTL
goes to zero, a router between the ASA and the endpoint drops the packet. It is at this point that the
attacker can send a malicious packet with a long TTL that appears to the ASA to be a retransmission
and is passed. To the endpoint host, however, it is the first packet that has been received by the
attacker. In this case, an attacker is able to succeed without security preventing the attack.
Verify TCP Checksum— Enables checksum verification.
Drop SYNACK Packets with data—Drops TCP SYNACK packets that contain data.
Drop packets with invalid ACK—Drops packets with an invalid ACK. You might see invalid ACKs
in the following instances:
In the TCP connection SYN-ACK-received status, if the ACK number of a received TCP packet
is not exactly same as the sequence number of the next TCP packet sending out, it is an invalid
ACK.
Whenever the ACK number of a received TCP packet is greater than the sequence number of
the next TCP packet sending out, it is an invalid ACK.
Note TCP packets with an invalid ACK are automatically allowed for WAAS connections.
Step7 To set TCP options, check any of the following options:
Clear Selective Ack—Sets whether the selective-ack TCP option is allowed or cleared.
Clear TCP Timestamp—Sets whether the TCP timestamp option is allowed or cleared.
Clear Window Scale—Sets whether the window scale timestamp option is allowed or cleared.
Range—Sets the valid TCP options ranges, which should fall within 6-7 and 9-255. The lower bound
should be less than or equal to the upper bound. Choose Allow or Drop for each range.