ASA 5510 Policy map

Unanswered Question
May 26th, 2009

Hello all,

I have 2 proxy servers allowed to do www through the firewall , but I want to make a policy which would restrict the tcp connections and teh embrionic connections.

Does anyone know what would be the best practices for this.

I mean I am not sure how many I should allow and what should teh time-out intervals be!



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anonymous (not verified) Mon, 06/01/2009 - 11:05

To configure a timeout for TCP embryonic connections (connections that result from an incomplete three-way handshake) and half-closed connections (connections where the client has sent a FIN and the server has not responded), use the set tcp timeout command. Use the no form of this command to reset TCP timeout values to their default settings.

set tcp timeout {embryonic seconds | half-closed seconds}

no set tcp timeout {embryonic | half-closed}


To set the TCP timeout for embryonic connections to 24 seconds, enter:

host1/Admin(config-parammap-conn)# set tcp timeout embryonic 24

To reset the TCP half-closed connection timeout to the default of 600 seconds, enter:

host1/Admin(config-parammap-conn)# no set tcp timeout half-closed

You can limit TCP and UDP connections and embryonic connections. Limiting the number of connections and embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.

TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets that do not appear normal.


This Discussion