{"id":893,"date":"2015-02-20T08:38:00","date_gmt":"2015-02-20T08:38:00","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2015\/02\/20\/cisco-asa-tcp-normalization-permitting-tcp-option-headers\/"},"modified":"2023-01-06T17:20:35","modified_gmt":"2023-01-06T17:20:35","slug":"cisco-asa-tcp-normalization-permitting-tcp-option-headers","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-tcp-normalization-permitting-tcp-option-headers.html","title":{"rendered":"Cisco ASA: TCP Normalization & Permitting TCP Option Headers"},"content":{"rendered":"
To provide protection from attacks, the Cisco ASA provides a feature called TCP normalization. TCP normalization is enabled by default and can detect abnormal packets. Once detected these packets can be either allowed, dropped or cleared of its abnormalities.<\/p>\n
To configure the TCP normalizer changes are made within the tcp-map. The tcp-map is then assigned to a class-map. This class-map is then assigned to a policy-map which is then assigned to an interface via a service policy.<\/p>\n
Within our example we will configure the ASA to permit the TCP header 34 (0x22).<\/p>\n
tcp-map TCPMAP-PERMIT-0x22\r\n\u00a0 tcp-options range 34 34 allow\r\n policy-map type inspect dns preset_dns_map\r\n\u00a0parameters\r\n\u00a0 message-length maximum 512\r\npolicy-map global_policy\r\n\u00a0class inspection_default\r\n\u00a0 inspect dns preset_dns_map\r\n\u00a0 inspect ftp\r\n\u00a0 inspect h323 h225\r\n\u00a0 inspect h323 ras\r\n\u00a0 inspect rsh\r\n\u00a0 inspect rtsp\r\n\u00a0 inspect sqlnet\r\n\u00a0 inspect skinny\r\n\u00a0 inspect sunrpc\r\n\u00a0 inspect xdmcp\r\n\u00a0 inspect sip\r\n\u00a0 inspect netbios\r\n\u00a0 inspect tftp\r\n\u00a0 inspect ip-options\r\n\u00a0class ALLOW-TCP-22\r\n\u00a0 set connection advanced-options TCPMAP-PERMIT-0x22\r\n service-policy global_policy global<\/pre>\n","protected":false},"excerpt":{"rendered":"TCP Normalization To provide protection from attacks, the Cisco ASA provides a feature called TCP normalization. TCP normalization is enabled by default and can detect abnormal packets. Once detected these packets can be either allowed, dropped or cleared of its abnormalities. To configure the TCP normalizer changes are made within the tcp-map. The tcp-map is … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"yoast_head":"\n
Cisco ASA: TCP Normalization & Permitting TCP Option Headers - Fir3net<\/title>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\t\n