cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


596
Views
5
Helpful
1
Replies
Highlighted
Beginner

Ignoring TCP handshake & Sequence Numbers for STT Traffic

Hi,

I have to pass STT traffic through a Cisco ASA (details on STT are here http://tools.ietf.org/html/draft-davie-stt).

STT traffic looks like TCP traffic (i.e. it uses IP protocol 6 and is sent to a specific destination port) but is stateless. It doesn't perform TCP handshake, i.e. TCP flags are used differently same goes for sequence numbers.

Is there any way to disable to regular TCP handshake and sequence numbers checks? I saw that there might be a chance to do something for the handshake with the embryotic connection limit but I'm not sure about the sequence numbers.

Assume ASA 8.6.

Thanks,

Ben

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Ignoring TCP handshake & Sequence Numbers for STT Traffic

Hi,

You can configure tcp state bypass only for this traffic, for the rest the firewall would check the tcp state of the packet, here is the doc:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Hope  that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC

View solution in original post

1 REPLY 1
Advocate

Ignoring TCP handshake & Sequence Numbers for STT Traffic

Hi,

You can configure tcp state bypass only for this traffic, for the rest the firewall would check the tcp state of the packet, here is the doc:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Hope  that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC

View solution in original post

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here