Hi everyone,

I have a question about how I can allow TCP option on PIX version 6.3 and how I can disable check of the TCP sequence number on PIX/ASA.

I understand there are following security considerations when I install WAEs and each WAE communicates through Firewall.

WAAS uses special TCP option (1) and executes changing the TCP sequence number (2) to achieve TCP transparent optimization.

(1) WAAS's auto discovery function sets TCP option 0x21(33) into option field of TCP SYN packet which is communicated between WAEs.

(2) WAAS increases the sequence number of last Ack packet in TCP 3 way handshake to 2GB which is communicated between WAEs.

So when I install WAEs and each WAE communicates though Firewall, I think I have to allow TCP option and have to disable check of the TCP sequence number explicitly on Firewall, such as PIX, ASA.

I think I can allow TCP option by configuring TCP Normalization command, that is,

tcp-options range lower upper {allow | clear | drop}

tcp-options range 33 33 allow (in this case)

However, according to the PIX/ASA version 7.0 command reference, this command was introduced on version 7.0.

My questions are as follows;

1: Can I allow TCP option on PIX version 6.3 ? like tcp-options command on 7.x.

2: Can I disable check of the TCP sequence number explicitly on PIX version 6.3 and PIX/ASA version 7.x ?

Your information would be appreciated.

Best regards,

Shinichi