07-12-2010 12:46 AM - edited 03-11-2019 11:10 AM
Hi,
I would like to verify if the below is the right configuration for the ports not to time out, therefore it will never timeout the connection.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
access-list ACL1-in extended permit tcp object-group Desktops_Users object-group AIC_Servers object-group AVAYA-AIC_agent_app
!
class-map AIC_Agent_Servers
match access-list ACL1-in
!
policy-map AIC_Agent
class AIC_Agent_Servers
set connection timeout tcp 0
!
!
service-policy AIC_Agent global
!
!
Pls advice,
!
Cheers,
-SN-
Solved! Go to Solution.
07-12-2010 12:58 AM
That's absolutely correct except the last command where you have to apply the service-policy to a specific interface depending on the direction of the traffic, because I believe there should already be a global_policy by default applied to global policy as you can't apply 2 global policy globally.
If you check with "sh run service-policy", it will show you if you already have an existing policy. Otherwise, if you haven't had a global policy, you can apply it. Or else, just apply it to the specific interface.
Hope that helps.
07-12-2010 12:58 AM
That's absolutely correct except the last command where you have to apply the service-policy to a specific interface depending on the direction of the traffic, because I believe there should already be a global_policy by default applied to global policy as you can't apply 2 global policy globally.
If you check with "sh run service-policy", it will show you if you already have an existing policy. Otherwise, if you haven't had a global policy, you can apply it. Or else, just apply it to the specific interface.
Hope that helps.
07-13-2010 06:04 PM
Hi Halijenn,
Yes you are right, there is an existing default global policy on the ASA that is called global_policy.
So I would need to add this on the interface.
The difference that I see here that the service-policy would need to be entered on the interface without the input/output word compared if I were to enter
the service-policy on a router.
Thanks once again for your response.
Cheers,
-SN-
07-13-2010 07:59 PM
Can i use the same commands to work under INTERFACE POLICY ?
Meaning, can i use same logic always for both global and interface policy ????
( i know only 1 will be active at one time, and if interface policy exists with global policy, interface policy takes precedence...! )
07-13-2010 08:17 PM
Yeap, the doco says you can and so does halijann. If you apply to the interface, it only effects at the interface level and if it is applied globally then it would effect all packets that hits all interfaces on the FW.
The other way that I can think of doing it is adding additional class-maps and then call it from the existing global policy.
I believe this should work as well.
Cheers,
-SN-
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: