35-26
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter35 Configuring NAT (ASA 8.2 and Earlier)
Using Static NAT
Note You can also set these values using a security policy rule. To set the number of rate intervals
maintained for host statistics, on the Configuration > Firewall > Threat Detection > Scanning
Threat Statistics area, choose 1, 2, or 3 from the User can specify the number of rate for Threat
Detection Host drop-down list. Because host statistics use a lot of memory, reducing the number
of rate intervals from the default of 3 reduces the memory usage. By default, the Firewall
Dashboard Tab shows information for three rate intervals, for example, for the last 1 hour, 8
hours, and 24 hours. If you set this keyword to 1, then only the shortest rate interval statistics
are maintained. If you set the value to 2, then the two shortest intervals are maintained. If you
set them in both places, then the ASA uses the lower limit. For TCP sequence randomization, if
it is disabled using either method, then the ASA disables TCP sequence randomization.
Randomize sequence number—With this check box checked (the default), the ASA randomizes
the sequence number of TCP packets. Each TCP connection has two ISNs: one generated by the
client and one generated by the server. The ASA randomizes the ISN of the TCP SYN passing in
both the inbound and outbound directions.
Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a
new connection and potentially hijacking the new session.
TCP initial sequence number randomization can be disabled if required. For example:
If another in-line firewall is also randomizing the initial sequence numbers, there is no need for
both firewalls to be performing this action, even though this action does not affect the traffic.
If you use eBGP multi-hop through the ASA, and the eBGP peers are using MD5.
Randomization breaks the MD5 checksum.
You use a WAAS device that requires the ASA not to randomize the sequence numbers of
connections.
Maximum TCP Connections—Specifies the maximum number of TCP connections, between 0 and
65,535. If this value is set to 0, the number of connections is unlimited.
Maximum UDP Connections—Specifies the maximum number of UDP connections, between 0
and 65,535. If this value is set to 0, the number of connections is unlimited.
Maximum Embryonic Connections—Specifies the maximum number of embryonic connections
per host up to 65,536. An embryonic connection is a connection request that has not finished the
necessary handshake between source and destination. This limit enables the TCP Intercept feature.
The default is 0, which means the maximum embryonic connections. TCP Intercept protects inside
systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the
embryonic limit has been surpassed, the TCP intercept feature intercepts TCP SYN packets from
clients to servers on a higher security level. SYN cookies are used during the validation process and
help to minimize the amount of valid traffic being dropped. Thus, connection attempts from
unreachable hosts will never reach the server.
Step9 Click OK.
Using Static NAT
This section describes how to configure a static translation, using regular or policy static NAT, PAT, or
identity NAT.
For more information about static NAT, see the “Static NAT” section on page35-8.