{"id":893,"date":"2015-02-20T08:38:00","date_gmt":"2015-02-20T08:38:00","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2015\/02\/20\/cisco-asa-tcp-normalization-permitting-tcp-option-headers\/"},"modified":"2023-01-06T17:20:35","modified_gmt":"2023-01-06T17:20:35","slug":"cisco-asa-tcp-normalization-permitting-tcp-option-headers","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html","title":{"rendered":"Cisco ASA: TCP Normalization &#038; Permitting TCP Option Headers"},"content":{"rendered":"<h2>TCP Normalization<\/h2>\n<p>To provide protection from attacks, the Cisco ASA provides a feature called TCP normalization. TCP normalization is enabled by default and can detect abnormal packets. Once detected these packets can be either allowed, dropped or cleared of its abnormalities.<\/p>\n<p>To configure the TCP normalizer changes are made within the tcp-map. The tcp-map is then assigned to a class-map. This class-map is then assigned to a policy-map which is then assigned to an interface via a service policy.<\/p>\n<h2>Example<\/h2>\n<p>Within our example we will configure the ASA to permit the TCP header 34 (0x22).<\/p>\n<pre class=\"prettyprint\">tcp-map TCPMAP-PERMIT-0x22\r\n\u00a0 tcp-options range 34 34 allow\r\n policy-map type inspect dns preset_dns_map\r\n\u00a0parameters\r\n\u00a0 message-length maximum 512\r\npolicy-map global_policy\r\n\u00a0class inspection_default\r\n\u00a0 inspect dns preset_dns_map\r\n\u00a0 inspect ftp\r\n\u00a0 inspect h323 h225\r\n\u00a0 inspect h323 ras\r\n\u00a0 inspect rsh\r\n\u00a0 inspect rtsp\r\n\u00a0 inspect sqlnet\r\n\u00a0 inspect skinny\r\n\u00a0 inspect sunrpc\r\n\u00a0 inspect xdmcp\r\n\u00a0 inspect sip\r\n\u00a0 inspect netbios\r\n\u00a0 inspect tftp\r\n\u00a0 inspect ip-options\r\n\u00a0class ALLOW-TCP-22\r\n\u00a0 set connection advanced-options TCPMAP-PERMIT-0x22\r\n service-policy global_policy global<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>TCP Normalization To provide protection from attacks, the Cisco ASA provides a feature called TCP normalization. TCP normalization is enabled by default and can detect abnormal packets. Once detected these packets can be either allowed, dropped or cleared of its abnormalities. To configure the TCP normalizer changes are made within the tcp-map. The tcp-map is &#8230; <a title=\"Cisco ASA: TCP Normalization &#038; Permitting TCP Option Headers\" class=\"read-more\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html\" aria-label=\"Read more about Cisco ASA: TCP Normalization &#038; Permitting TCP Option Headers\">Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cisco ASA: TCP Normalization &amp; Permitting TCP Option Headers - Fir3net<\/title>\n<meta name=\"description\" content=\"TCP Normalization To provide protection from attacks, the Cisco ASA provides a feature called TCP normalization. TCP normalization is enabled by default\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cisco ASA: TCP Normalization &amp; Permitting TCP Option Headers - Fir3net\" \/>\n<meta property=\"og:description\" content=\"TCP Normalization To provide protection from attacks, the Cisco ASA provides a feature called TCP normalization. TCP normalization is enabled by default\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html\" \/>\n<meta property=\"og:site_name\" content=\"Fir3net\" \/>\n<meta property=\"article:published_time\" content=\"2015-02-20T08:38:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-01-06T17:20:35+00:00\" \/>\n<meta name=\"author\" content=\"Rick Donato\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Rick Donato\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html\"},\"author\":{\"name\":\"Rick Donato\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037\"},\"headline\":\"Cisco ASA: TCP Normalization &#038; Permitting TCP Option Headers\",\"datePublished\":\"2015-02-20T08:38:00+00:00\",\"dateModified\":\"2023-01-06T17:20:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html\"},\"wordCount\":102,\"publisher\":{\"@id\":\"https:\/\/www.fir3net.com\/#organization\"},\"articleSection\":[\"Cisco Firewalls\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html\",\"url\":\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html\",\"name\":\"Cisco ASA: TCP Normalization & Permitting TCP Option Headers - Fir3net\",\"isPartOf\":{\"@id\":\"https:\/\/www.fir3net.com\/#website\"},\"datePublished\":\"2015-02-20T08:38:00+00:00\",\"dateModified\":\"2023-01-06T17:20:35+00:00\",\"description\":\"TCP Normalization To provide protection from attacks, the Cisco ASA provides a feature called TCP normalization. TCP normalization is enabled by default\",\"breadcrumb\":{\"@id\":\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.fir3net.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\/\/www.fir3net.com\/security\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Firewalls\",\"item\":\"https:\/\/www.fir3net.com\/security\/firewalls\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Cisco Firewalls\",\"item\":\"https:\/\/www.fir3net.com\/security\/firewalls\/cisco\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"Cisco ASA: TCP Normalization &#038; Permitting TCP Option Headers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.fir3net.com\/#website\",\"url\":\"https:\/\/www.fir3net.com\/\",\"name\":\"Fir3net\",\"description\":\"Keeping you in the know\",\"publisher\":{\"@id\":\"https:\/\/www.fir3net.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.fir3net.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.fir3net.com\/#organization\",\"name\":\"Fir3net\",\"url\":\"https:\/\/www.fir3net.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png\",\"contentUrl\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png\",\"width\":390,\"height\":88,\"caption\":\"Fir3net\"},\"image\":{\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037\",\"name\":\"Rick Donato\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g\",\"caption\":\"Rick Donato\"},\"description\":\"Rick Donato is a Network Automation Architect\/Evangelist and the founder of Packet Coders.\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cisco ASA: TCP Normalization & Permitting TCP Option Headers - Fir3net","description":"TCP Normalization To provide protection from attacks, the Cisco ASA provides a feature called TCP normalization. TCP normalization is enabled by default","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html","og_locale":"en_US","og_type":"article","og_title":"Cisco ASA: TCP Normalization & Permitting TCP Option Headers - Fir3net","og_description":"TCP Normalization To provide protection from attacks, the Cisco ASA provides a feature called TCP normalization. TCP normalization is enabled by default","og_url":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html","og_site_name":"Fir3net","article_published_time":"2015-02-20T08:38:00+00:00","article_modified_time":"2023-01-06T17:20:35+00:00","author":"Rick Donato","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Rick Donato","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html#article","isPartOf":{"@id":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html"},"author":{"name":"Rick Donato","@id":"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037"},"headline":"Cisco ASA: TCP Normalization &#038; Permitting TCP Option Headers","datePublished":"2015-02-20T08:38:00+00:00","dateModified":"2023-01-06T17:20:35+00:00","mainEntityOfPage":{"@id":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html"},"wordCount":102,"publisher":{"@id":"https:\/\/www.fir3net.com\/#organization"},"articleSection":["Cisco Firewalls"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html","url":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html","name":"Cisco ASA: TCP Normalization & Permitting TCP Option Headers - Fir3net","isPartOf":{"@id":"https:\/\/www.fir3net.com\/#website"},"datePublished":"2015-02-20T08:38:00+00:00","dateModified":"2023-01-06T17:20:35+00:00","description":"TCP Normalization To provide protection from attacks, the Cisco ASA provides a feature called TCP normalization. TCP normalization is enabled by default","breadcrumb":{"@id":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.fir3net.com\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/www.fir3net.com\/security"},{"@type":"ListItem","position":3,"name":"Firewalls","item":"https:\/\/www.fir3net.com\/security\/firewalls"},{"@type":"ListItem","position":4,"name":"Cisco Firewalls","item":"https:\/\/www.fir3net.com\/security\/firewalls\/cisco"},{"@type":"ListItem","position":5,"name":"Cisco ASA: TCP Normalization &#038; Permitting TCP Option Headers"}]},{"@type":"WebSite","@id":"https:\/\/www.fir3net.com\/#website","url":"https:\/\/www.fir3net.com\/","name":"Fir3net","description":"Keeping you in the know","publisher":{"@id":"https:\/\/www.fir3net.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.fir3net.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.fir3net.com\/#organization","name":"Fir3net","url":"https:\/\/www.fir3net.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png","contentUrl":"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png","width":390,"height":88,"caption":"Fir3net"},"image":{"@id":"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037","name":"Rick Donato","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.fir3net.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g","caption":"Rick Donato"},"description":"Rick Donato is a Network Automation Architect\/Evangelist and the founder of Packet Coders."}]}},"_links":{"self":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts\/893"}],"collection":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/comments?post=893"}],"version-history":[{"count":2,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts\/893\/revisions"}],"predecessor-version":[{"id":3497,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts\/893\/revisions\/3497"}],"wp:attachment":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/media?parent=893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/categories?post=893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/tags?post=893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}