Cisco ASA - TCP Normalization ; Permitting TCP Option Headers
To provide protection from attacks, the Cisco ASA provides a feature called TCP normalization. TCP normalization is enabled by default and can detect abnormal packets. Once detected these packets can be either allowed, dropped or cleared of its abnormalities.
To configure the TCP normalizer changes are made within the tcp-map. The tcp-map is then assigned to a class-map. This class-map is then assigned to a policy-map which is then assigned to an interface via a service policy.
Within our example we will configure the ASA to permit the TCP header 34 (0x22).
tcp-options range 34 34 allow
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
set connection advanced-options TCPMAP-PERMIT-0x22
service-policy global_policy global