Solved: Re : To make ports never to timeout

sanjay.nadarajah · ‎07-12-2010

Hi,

I would like to verify if the below is the right configuration for the ports not to time out, therefore it will never timeout the connection.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

access-list ACL1-in extended permit tcp object-group Desktops_Users object-group AIC_Servers object-group AVAYA-AIC_agent_app
!
class-map AIC_Agent_Servers
   match access-list ACL1-in
!
policy-map AIC_Agent
    class AIC_Agent_Servers
         set connection timeout tcp 0
!
!
service-policy AIC_Agent global
!

!

Pls advice,

!

Cheers,
-SN-

Jennifer Halim · ‎07-12-2010

That's absolutely correct except the last command where you have to apply the service-policy to a specific interface depending on the direction of the traffic, because I believe there should already be a global_policy by default applied to global policy as you can't apply 2 global policy globally.

If you check with "sh run service-policy", it will show you if you already have an existing policy. Otherwise, if you haven't had a global policy, you can apply it. Or else, just apply it to the specific interface.

Hope that helps.

View solution in original post

Jennifer Halim · ‎07-12-2010

That's absolutely correct except the last command where you have to apply the service-policy to a specific interface depending on the direction of the traffic, because I believe there should already be a global_policy by default applied to global policy as you can't apply 2 global policy globally.

If you check with "sh run service-policy", it will show you if you already have an existing policy. Otherwise, if you haven't had a global policy, you can apply it. Or else, just apply it to the specific interface.

Hope that helps.

sanjay.nadarajah · ‎07-13-2010

Hi Halijenn,

Yes you are right, there is an existing default global policy on the ASA that is called global_policy.

So I would need to add this on the interface.

The difference that I see here that the service-policy would need to be entered on the interface without the input/output word compared if I were to enter

the service-policy on a router.

Thanks once again for your response.

Cheers,

-SN-

game123 · ‎07-13-2010

Can i use the same commands to work under INTERFACE POLICY ?

Meaning, can i use same logic always for both global and interface policy ????

( i know only 1 will be active at one time, and if interface policy exists with global policy, interface policy takes precedence...! )

sanjay.nadarajah · ‎07-13-2010

Yeap, the doco says you can and so does halijann. If you apply to the interface, it only effects at the interface level and if it is applied globally then it would effect all packets that hits all interfaces on the FW.

The other way that I can think of doing it is adding additional class-maps and then call it from the existing global policy.

I believe this should work as well.

Cheers,

-SN-