The document discusses various TCP inspection policies that can be set on an ASA firewall to control and inspect TCP connections and traffic. These policies include limiting the number of simultaneous and partially opened TCP connections, setting timeout durations for idle, half-closed and embryonic connections, decrementing TTL values, using random sequence numbers, and verifying TCP properties like retransmissions, checksums, ACK flags, and sequence numbers within windows. The policies are implemented using class-maps, policy-maps and applying the policies to interfaces.

1. TCP INSPECTION
Set a policy to limit simultaneous TCP connection on ASA
Class-map CMAP
match any
Policy-map PMAP
set connection conn-max
service-policy PMAP interface outside
Set a policy to limit simultaneous TCP connection per client machine on ASA
Class-map CMAP
match any
Policy-map PMAP
set connection per-client-max
service-policy PMAP interface outside
Set a policy to limit partially opened TCP connection on ASA
Class-map CMAP
match any
Policy-map PMAP
set connection embryonic-conn-max
service-policy PMAP interface outside
Set a policy to limit number of partially opened TCP connection per client on ASA
Class-map CMAP
match any
Policy-map PMAP
set connection per-client-embryonic-max
service-policy PMAP interface outside
Set a policy such that legintimate telnet/ssh users wont be timed out after TCP timeout duration
Class-map CMAP
match any

2. Policy-map PMAP
set connection timeout dcd
service-policy PMAP interface outside
Set a policy such that, partially opened TCP connections will be timeout
Class-map CMAP
match any
Policy-map PMAP
set connection timeout embryonic
service-policy PMAP interface outside
Set a policy such that, half closed TCP connection will be freed (Incomplete FIN-FIN handshake) - default
10s
Class-map CMAP
match any
Policy-map PMAP
set connection timeout half-closed
service-policy PMAP interface outside
Set a policy such that, after an idle time TCP connection will be closed
Class-map CMAP
match any
Policy-map PMAP
set connection timeout TCP
service-policy PMAP interface outside
Set a policy to allow ASA to decrement ttl value
Class-map CMAP
match any
Policy-map PMAP
set connection decrement-ttl
service-policy PMAP interface outside

3. Normally TTL value begins with a high number and is decremented by each router along the network path, An
ASA however does not by default decrement the TTL value of the packets it handles. Because the TTL value
unchanged, host in the network are not able to see anASA as router hop in traceroute packets. ASA is
invisible.you can configure hte ASA to unlock itself and decrement the TTL value for specific types of traffic.
Set a policy to limit simultaneous TCP connection on ASA
Class-map CMAP
match any
Policy-map PMAP
set connection random-sequence-number
service-policy PMAP interface outside
when a new TCP connection is negotiated between two-host , an initial sequence number (ISN) is used as a
starting point for TCP coonection sequence number. Ideally the ISN should be randow number so that it can
never be predicted & leveared in TCP spoofig attack.
Set a policy such that, ASA verify TCP retransmission - default - disabled
tcp-map TMAP
check-retransmissio
Class-map CMAP
match any
Policy-map PMAP
set connection advanced-options TMAP
service-policy PMAP interface outside
Set a policy such that, ASA verify TCP checksum & drop it if it failes - default - disabled
tcp-map TMAP
checksum-verification
Class-map CMAP
match any
Policy-map PMAP
set connection advanced-options TMAP
service-policy PMAP interface outside
Set a policy such that, ASA checks packests that have invalid ACK flag

4. tcp-map TMAP
invalid-ack
Class-map CMAP
match any
Policy-map PMAP
set connection advanced-options TMAP
service-policy PMAP interface outside
Set a policy such that, ASA keeps number of out-of-order packets in a queue for inspection - default 0 packet in queue
tcp-map PMAP
queue-limit
Class-map CMAP
match any
Policy-map PMAP
set connection advanced-options TMAP
service-policy PMAP interface outside
Set a policy such that, ASA checks the TCP sequence number that fall outside the window - default - allow the packet
tcp-map PMAP
seq-past-window
Class-map CMAP
match any
Policy-map PMAP
set connection advanced-options TMAP
service-policy PMAP interface outside

8. packet in queue
allow the packet