Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote service implements TCP timestamps

I trying to stop the RFC 1323 Timestamp leak (Nessus ID 25220), I have add the following commands to our PIX firewall. Test still comeback positive.

access-list 100 deny icmp any any timestamp-request

access-list 100 deny icmp any any timestamp-reply

icmp deny any outside

icmp deny any inside

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Remote service implements TCP timestamps

You are dropping icmp timestamps. You need to clear the TCP timestamps.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpnorm.html explains how, and the config will look like

tcp-map tmap

  timestamp  clear

access-list tcp-acl permit tcp any any

class-map tcp-class

  match access-l tcp-acl

policy-map pmap

  class ts-class

    set connection advanced-options tmap

service-policy pmap global

Let us know if it helps.

PK

4 REPLIES
Cisco Employee

Re: Remote service implements TCP timestamps

You are dropping icmp timestamps. You need to clear the TCP timestamps.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpnorm.html explains how, and the config will look like

tcp-map tmap

  timestamp  clear

access-list tcp-acl permit tcp any any

class-map tcp-class

  match access-l tcp-acl

policy-map pmap

  class ts-class

    set connection advanced-options tmap

service-policy pmap global

Let us know if it helps.

PK

New Member

Re: Remote service implements TCP timestamps

Solution worked, thanks.

tcp-map tcp-map-timestamp

tcp-options timestamp clear

class-map class-map-timestamp
match any

policy-map policy-map-timestamp
class class-map-timestamp

set connection advanced-options tcp-map-timestamp

service-policy policy-map-timestamp global

Cisco Employee

Re: Remote service implements TCP timestamps

That is good news!

Please mark the thread as Answered so that others can benefit in the future.

Take care,

PK

New Member

Remote service implements TCP timestamps

Hi hope everyone is fine.

It didnt work for our case. Our vendor simplified to command and after implementing it I still get the TCP timestamp vulnerability for hosts behind the FW. Is this command suppose to clear all TCP timestamp request for hosts behing the FW or is it simply just for the FW?

tcp-map tmap-timestamp

  tcp-options timestamp clear

policy-map global_policy

class global-class

  set connection advanced-options tmap-timestamp

Hope anyone can shed some light on what we did wrong or an alternate solution.

Regards,

Mon

3165
Views
5
Helpful
4
Replies