Cisco ASA - TCP Normalization ; Permitting TCP Option Headers

Written by Rick Donato on 20 February 2015. Posted in Cisco

TCP Normalization

To provide protection from attacks, the Cisco ASA provides a feature called TCP normalization. TCP normalization is enabled by default and can detect abnormal packets. Once detected these packets can be either allowed, dropped or cleared of its abnormalities.

To configure the TCP normalizer changes are made within the tcp-map. The tcp-map is then assigned to a class-map. This class-map is then assigned to a policy-map which is then assigned to an interface via a service policy.

Example

Within our example we will configure the ASA to permit the TCP header 34 (0x22).

tcp-map TCPMAP-PERMIT-0x22
  tcp-options range 34 34 allow

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
 class ALLOW-TCP-22
  set connection advanced-options TCPMAP-PERMIT-0x22

service-policy global_policy global

JW_DISQUS_BLOG_COMMENTS_POWERED_BY DISQUS JW_DISQUS_BACK_TO_TOP

Tags: ASA, Cisco, TCP

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as an SDN/NFV Solutions Architect and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001

Cisco ASA - TCP Normalization ; Permitting TCP Option Headers

TCP Normalization

Example

About the Author

R Donato

Latest Articles

Popular Articles