What does the TCP intercept feature do on the Cisco ASA firewall

The TCP intercept feature is a mechanism to protect the end hosts from TCP SYN-flooding attacks (a type of DoS attack)

A SYN-flooding attack occurs when a hacker floods a server with a lots of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a web site, accessing e-mail, using FTP service, and so on.

The TCP intercept feature intercepts TCP synchronization (SYN) packets from clients to servers that match an access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently.So connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection. The number of SYNs per second and the number of concurrent connections proxied depends on the platform, memory, processor, and other factors

In the case of illegitimate requests, the ASA firewall’s aggressive timeouts on half-open connections and its thresholds on TCP connection requests protect destination servers while still allowing valid requests.

When establishing your security policy using TCP intercept, you can choose to intercept all requests or only those coming from specific networks or destined for specific servers. You can also configure the connection rate and threshold of outstanding connections.

You can choose to operate TCP intercept in watch mode, as opposed to intercept mode. In watch mode, the software passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the ASA firewall intervenes and terminates the connection attempt.

There are two ways to configure TCP Intercept

1) Using NAT

ciscoasa(config)# static (inside,outside) netmask tcp 0 10

static (real_ifc, mapped_ifc) netmask tcp maximum_connectionss embryonic_limit

Here 0 means max connection the maximum number of simultaneous TCP connections that each hosts will be allowed.

And 10 means the maximum number of embryonic connections per host

2) Using MPF (Modular Policy Framework)

policy-map class class_name
set connection {[conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# set connection embryonic-conn-max 1