Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6860
Views
5
Helpful
5
Replies

Remote service implements TCP timestamps

Go to solution
gjohnson1963
Level 1
Level 1

‎10-12-2010 07:20 AM - edited ‎03-11-2019 11:53 AM

I trying to stop the RFC 1323 Timestamp leak (Nessus ID 25220), I have add the following commands to our PIX firewall. Test still comeback positive.

access-list 100 deny icmp any any timestamp-request

access-list 100 deny icmp any any timestamp-reply

icmp deny any outside

icmp deny any inside

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎10-12-2010 07:31 AM

You are dropping icmp timestamps. You need to clear the TCP timestamps.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpnorm.html explains how, and the config will look like

tcp-map tmap
  timestamp  clear
access-list tcp-acl permit tcp any any
class-map tcp-class
  match access-l tcp-acl
policy-map pmap
  class ts-class
    set connection advanced-options tmap
service-policy pmap global

Let us know if it helps.

PK

View solution in original post

5 Replies 5

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎10-12-2010 07:31 AM

You are dropping icmp timestamps. You need to clear the TCP timestamps.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpnorm.html explains how, and the config will look like

tcp-map tmap
  timestamp  clear
access-list tcp-acl permit tcp any any
class-map tcp-class
  match access-l tcp-acl
policy-map pmap
  class ts-class
    set connection advanced-options tmap
service-policy pmap global

Let us know if it helps.

PK

Go to solution
gjohnson1963
Level 1
Level 1
In response to Panos Kampanakis

‎10-12-2010 10:59 AM

Solution worked, thanks.

tcp-map tcp-map-timestamp

tcp-options timestamp clear

class-map class-map-timestamp
match any

policy-map policy-map-timestamp
class class-map-timestamp

set connection advanced-options tcp-map-timestamp

service-policy policy-map-timestamp global

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to gjohnson1963

‎10-12-2010 11:28 AM

That is good news!

Please mark the thread as Answered so that others can benefit in the future.

Take care,

PK

0 Helpful

Go to solution
Mon-Loi Perez
Level 1
Level 1
In response to Panos Kampanakis

‎12-17-2013 05:37 PM

Hi hope everyone is fine.

It didnt work for our case. Our vendor simplified to command and after implementing it I still get the TCP timestamp vulnerability for hosts behind the FW. Is this command suppose to clear all TCP timestamp request for hosts behing the FW or is it simply just for the FW?

tcp-map tmap-timestamp

  tcp-options timestamp clear

policy-map global_policy

class global-class

  set connection advanced-options tmap-timestamp

Hope anyone can shed some light on what we did wrong or an alternate solution.

Regards,

Mon

0 Helpful

Go to solution
juan soporteco
Level 1
Level 1
In response to Panos Kampanakis

‎06-27-2018 03:52 PM - edited ‎06-27-2018 03:55 PM

Hi Panos,

 

I can clear timestamps, using tcp-map, but I've read PAWS is going to be disabled, and this might cause many TCP sessions to be reset, PAWS uses the TCP Timestamps option defined in Section 4 of RF 1323 to protect against old duplicates from the same connection (¿issue to future?).

 

https://www.ietf.org/rfc/rfc1323.txt

 

in other side found that RFC 1948 could solve the Vulnerability, therfore how do you for apply RFC in my Cisco ASA? 5585X (however it is not perfect and it also brings problems)

 

I remain attentive for your feedback.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card