Cisco 7604 Configuration Guide - Page 331
Disables TCP Initial Sequence Number ISN randomization.TCP initial, access-list, access-list extended
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 331 highlights
Chapter 16 Configuring NAT Using Dynamic NAT and PAT OL-20748-01 You can identify overlapping addresses in other nat commands. For example, you can identify 10.1.1.0 in one command, but 10.1.1.1 in another. The traffic is matched to a policy NAT command in order, until the first match, or for regular NAT, using the best match. See the following description about options for this command: - access-list acl_name-Identify the real addresses and destination addresses using an extended access list. Create the extended access list using the access-list extended command. (See the "Adding an Extended Access List" section on page 13-6.) This access list should include only permit ACEs. You can optionally specify the real and destination ports in the access list using the eq operator. Policy NAT and static NAT consider the inactive or time-range keywords and stop working when an ACE is inactive. - nat_id-An integer between 1 and 65535. The NAT ID should match a global command NAT ID. See the "Dynamic NAT and PAT Implementation" section on page 16-20 for more information about how NAT IDs are used. 0 is reserved for NAT exemption. (See the "Configuring NAT Exemption" section on page 16-36 for more information about NAT exemption.) - dns-If your nat command includes the address of a host that has an entry in a DNS server, and the DNS server is on a different interface from a client, then the client and the DNS server need different addresses for the host; one needs the mapped address and one needs the real address. This option rewrites the address in the DNS reply to the client. The translated host needs to be on the same interface as either the client or the DNS server. Typically, hosts that need to allow access from other interfaces use a static translation, so this option is more likely to be used with the static command. (See the "DNS and NAT" section on page 16-16 for more information.) - outside-If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside to identify the NAT instance as outside NAT. - tcp tcp_max_conns-Sets the maximum number of simultaneous TCP connections for the entire subnet up to 65,536. The default is 0, which means the maximum connections. - emb_limit-Sets the maximum number of embryonic connections per host up to 65,536. The default is 0, which means the maximum connections. You must enter the tcp tcp_max_conns before you enter the emb_limit. If you want to use the default value for tcp_max_conns, but change the emb_limit, then enter 0 for tcp_max_conns. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Limiting the number of embryonic connections protects you from a DoS attack. The FWSM uses the embryonic limit to trigger TCP Intercept. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from servicing connection requests. When the embryonic connection threshold of a connection is crossed, the FWSM acts as a proxy for the server and generates a SYN-ACK response to the client's SYN request. When the FWSM receives an ACK back from the client, it can then authenticate the client and allow the connection to the server. - udp udp_max_conns-Sets the maximum number of simultaneous UDP connections for the entire subnet up to 65,536. The default is 0, which means the maximum connections. - norandomseq-Disables TCP Initial Sequence Number (ISN) randomization.TCP initial sequence number randomization can be disabled if another in-line firewall is also randomizing the initial sequence numbers, because there is no need for both firewalls to be performing this action. However, leaving ISN randomization enabled on both firewalls does not affect the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-27