cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
508
Views
10
Helpful
10
Replies

Firewall connections Timeout ????

g-serghiou
Level 1
Level 1

Hi all,

Our firewall has the default timeout for idle connections and is set at 1 hour.

i know i can change this, but my question is this :

Is there a way that i can configure the firewall, to have different idle timeouts for for different groups based on their IP, or subnet or something similar i can use to differentiate the groups ?

thanks ,

George

10 Replies 10

Jon Marshall
Hall of Fame
Hall of Fame

George

Which firewall hardware and what version of code are you running. The short answer is yes you can do this if your are running v7.x code or later (v3.x code on an FWSM). If you are running v6.x code (v2.x on an FWSM) you cannot do this as the timeouts are global.

If you let me know hardware/software i can send you a link.

Jon

Hi,

its a PIX 515 with 7.2(2) version !

Thanks,

George

George

Here is a link to configuring per connection/group of connections timeouts.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/protect.html#wpxref61683

HTH

Jon

Thank Jon !!!

How is this not helpful ???

Its very helpful actually...

i also left u 5 rating score !!! (ifi remember correctly !!)

i never said it was nto helpful,

and once again,

thanks for your help !!!

Georgte

George

Apologies, it's the way the responses sometimes are presented. I wasn't referring to your rating or response, rather the fact that someone else rated my original response in this thread as not helpful.

My comment was not intended for you. Many thanks for your rating, hope that clears things up

Jon

no worries Jon !!!

im clear with things...ill see what they want to achieve and come up with a suitable solution !!!

Thanks again

George

Herbert Baerten
Cisco Employee
Cisco Employee

Yes, you can set the connection timeout in a policy-map, so you can specify different values per class.

see http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080624e19.shtml

The example here has a class-map matching destination IP and port, but you can just as well match on source IP address.

If you need more help let us know.

[edit] Sorry, hadn't noticed this had been answered already :)

hi hebaerte

thanks for your reply as well...

all replies were/are welcome and helpful...

Thanks all,

George

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: