Solved: Ignoring TCP handshake & Sequence Numbers for STT Traffic

bbasler · ‎05-11-2012

Hi,

I have to pass STT traffic through a Cisco ASA (details on STT are here http://tools.ietf.org/html/draft-davie-stt).

STT traffic looks like TCP traffic (i.e. it uses IP protocol 6 and is sent to a specific destination port) but is stateless. It doesn't perform TCP handshake, i.e. TCP flags are used differently same goes for sequence numbers.

Is there any way to disable to regular TCP handshake and sequence numbers checks? I saw that there might be a chance to do something for the handshake with the embryotic connection limit but I'm not sure about the sequence numbers.

Assume ASA 8.6.

Thanks,

Ben

varrao · ‎05-12-2012

Hi,

You can configure tcp state bypass only for this traffic, for the rest the firewall would check the tcp state of the packet, here is the doc:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Hope that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

View solution in original post

varrao · ‎05-12-2012

Hi,

You can configure tcp state bypass only for this traffic, for the rest the firewall would check the tcp state of the packet, here is the doc:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Hope that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao