ASA 7.0(8) and WAAS

Unanswered Question
Mar 26th, 2009

Hello

So far I know that WAAS sets TCP options, 0x21 if I'm not mistaken, and upon neighbor discovery it adds 2 billon to the sequence number of the traffic that is meant to be accelerated.

Since I'm running an early release I was trying to manually overcome the absence of the “inspect waas”. Is it possible? So far, this is what I've got:


!

class-map WAE-TCPopt

match access-list WAE-TCPopt

!

class-map inspection_default

match default-inspection-traffic

!

tcp-map WAE

tcp-options range 6 7 allow

tcp-options range 9 255 allow

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect tftp

inspect netbios

inspect mgcp

class WAE-TCPopt

set connection random-sequence-number disable

set connection advanced-options WAE

class VoIP

priority

!


As you can imagine, it's not yet working.

Is there an alternative to the inspect. I would really want to keep the current release for a number of reasons. Any advice?


Thanks a lot

Guido


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
murabi Wed, 04/01/2009 - 12:55

You may try using the following command:


set connection {conn-max | embryonic-conn-max} n random-seq# {enable | disable}


no set connection {conn-max | embryonic-conn-max} n random-seq# {enable | disable}


random-seq# - Enable or disable TCP sequence number randomization. Each TCP connection has two ISNs: one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.


Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session.


TCP initial sequence number randomization can be disabled if required. For example:


•If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic.


•If you use eBGP multi-hop through the security appliance, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum.


•You use a WAAS device that requires the security appliance not to randomize the sequence numbers of connections.


Actions

This Discussion