Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ignoring TCP handshake & Sequence Numbers for STT Traffic

Hi,

I have to pass STT traffic through a Cisco ASA (details on STT are here http://tools.ietf.org/html/draft-davie-stt).

STT traffic looks like TCP traffic (i.e. it uses IP protocol 6 and is sent to a specific destination port) but is stateless. It doesn't perform TCP handshake, i.e. TCP flags are used differently same goes for sequence numbers.

Is there any way to disable to regular TCP handshake and sequence numbers checks? I saw that there might be a chance to do something for the handshake with the embryotic connection limit but I'm not sure about the sequence numbers.

Assume ASA 8.6.

Thanks,

Ben

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Red

Ignoring TCP handshake & Sequence Numbers for STT Traffic

Hi,

You can configure tcp state bypass only for this traffic, for the rest the firewall would check the tcp state of the packet, here is the doc:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Hope  that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
1 REPLY
Red

Ignoring TCP handshake & Sequence Numbers for STT Traffic

Hi,

You can configure tcp state bypass only for this traffic, for the rest the firewall would check the tcp state of the packet, here is the doc:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Hope  that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
574
Views
5
Helpful
1
Replies
CreatePlease login to create content