The feature allows for configuring two parameters:
The maximum number of established connections allowed to a TCP server
The maximum number of incomplete half-open (embryonic) connections to a TCP server
When the embryonic connection limit is reached, the firewall responds to every SYN packet sent to the server
with a SYN+ACK and does not pass the SYN packet to the internal server. If the external device responds with
an ACK packet, the firewall knows it is a valid request and not part of a SYN attack. The firewall then establishes
a connection with the internal server and joins the client connections passively. If the firewall does not get an
ACK back from the server, it aggressively times out that embryonic connection. Figure 7-8 illustrates how this
works.
Example 7-13 shows a static translation on PIX for an internal TCP server with the embryonic limit set to 100
and the Max Connection limit set to 1000. Most Windows platforms allow a maximum of 128 half-open
(embryonic) connections, so when setting the embryonic limit on the static, use a value less than the maximum
embryonic limit allowed by the server operating system.
Example 7-13. Configuring TCP Intercept on PIX/ASA Firewall Using the Static Command
PIX(config)# static (inside, outside) 209.
Pages:
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389