Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1078
Views
0
Helpful
1
Replies

ASA 8.02 and TCP Urgent flag

seanw_nic
Level 1
Level 1

‎02-21-2008 04:28 PM - edited ‎03-11-2019 05:06 AM

I recently upgraded a customer from a PIX 525 (running 7.0 code) to a pair of ASA 5550s in active/standby mode. The ASA runs 8.02. The customer uses a software identity service called Trusted Network Technologies 'Identity', which communicates with a server on the outside of the firewall. The software requires that TCP sequence number randomization be turned off, and that the TCP Urgent flag status is preserved through the firewall.

After upgrading to the ASA, the TNT software no longer functions. The software vendor is telling me that there may be some conflicts in the ACLs used for NAT and the TCP map.

Here is the portion of the config that I believe to be relevant. Any ideas?

access-list global_mpc extended permit ip any y.y.0.0 255.255.0.0

class-map OCDE-class

match access-list global_mpc

!

policy-map global-policy

class OCDE-class

set connection random-sequence-number disable

set connection advanced-options OCDE-map

tcp-map OCDE-map

urgent-flag allow

global (outside) 101 x.x.x.127 netmask 255.255.255.0

global (outside) 103 x.x.x.129 netmask 255.255.255.0

nat (inside) 103 access-list inside_nat_outbound norandomseq

nat (inside) 101 0.0.0.0 0.0.0.0

1 person had this problem
Labels:
0 Helpful
1 Reply 1
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card