Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Cisco ASA with Riverbed TCP-option

The ASA has a feature called TCP normalization which helps to protect from possible attacks.

For example the ASA can allow, drop, or clear a packet or an option within the packet.

The default configuration includes the following actions and settings:

no check-retransmission 

no checksum-verification

exceed-mss allow

queue-limit 0 timeout 4

reserved-bits allow

syn-data allow

synack-data drop

invalid-ack drop

seq-past-window drop

tcp-options range 6 7 clear

tcp-options range 9 255 clear >>>>>>> TCP option 76 is part of this range

tcp-options selective-ack allow

tcp-options timestamp allow

tcp-options window-scale allow

ttl-evasion-protection

urgent-flag clear

window-variation allow-connection

In this case Riverbed uses TCP option 76 which on the ASA configuration is set to be cleared by default out of the packet causing the connection to fail.

Here is a configuration example to allow tcp-option 76 through 78.

access-list riverbed_tcp extended permit tcp any any

class-map tcp-traffic

match access-list riverbed_tcp

tcp-map allow-probes

tcp-options range 76 78 allow

policy-map global_policy

class tcp-traffic

set connection advanced-options allow-probes

service-policy global_policy global

Here is the Cisco documentation that confirms TCP normalization behavior:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpnorm.html#wp1088337

Here is another document that I found that is not Cisco but that gives out an example on how to do this over CSM:

http://danpol.net/index.php/cisco/firewalls/riverbed-probes-asa/

On this document you can even see how it should show up on a wireshark display and understand a little more about TCP options:

http://mccltd.net/blog/?p=1491

7333
Views
5
Helpful
0
Comments