Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Can connection timeouts be defined on a per port basis on FWSM's like ISG's

The FWSM's and ASA's have default connection timeout values, but I need to know if conn timeout values can be defined for individual ports like tcp/udp 111 and others?

I see the following default global connection timeout values as such:

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

Thanks,

-Scott

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Can connection timeouts be defined on a per port basis on FW

Connection timeouts can be defined on a per port basis. Create an access-list to match the traffic. then create a class-map to match the access-list. Apply the class with a service policy.

Ex.

access-list ABC-Traffic extended permit tcp host 10.25.35.10 10.25.45.0 255.255.255.0 eq 23

class-map ABC-Traffic-Class

match access-list ABC-Traffic

policy-map global_policy

class ABC-Traffic-Class

set connection timeout tcp 12:00:00

4 REPLIES
Hall of Fame Super Blue

Re: Can connection timeouts be defined on a per port basis on FW

Scott

For the FWSM it depends on what version of software you are running. For version v2.x then the timeouts are global just as they are for pix v6.x.

However with ASA which run v7.x at a minimum and with an FWSM running v3.x of the code yes you can define connection timeouts for individual ports/IP addresses.

Here is a link for the FWSM that covers how you would do it

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/mpf_f.html

Jon

New Member

Re: Can connection timeouts be defined on a per port basis on FW

Hi Jon,

We are running FWSM 3.25, and ASA 7.24, so we should have the ability. I don't see where in the url you sent me the commands to change individual port conn timeout values. Is it a policy-map configuration?

Thanks

Hall of Fame Super Blue

Re: Can connection timeouts be defined on a per port basis on FW

Yes, you would create a policy map with a class map that matched the traffic you were interested in and then set the connection timeout within that.

Pretty much like class maps/policy maps/service policies used in the MQC for QOS.

Jon

New Member

Re: Can connection timeouts be defined on a per port basis on FW

Connection timeouts can be defined on a per port basis. Create an access-list to match the traffic. then create a class-map to match the access-list. Apply the class with a service policy.

Ex.

access-list ABC-Traffic extended permit tcp host 10.25.35.10 10.25.45.0 255.255.255.0 eq 23

class-map ABC-Traffic-Class

match access-list ABC-Traffic

policy-map global_policy

class ABC-Traffic-Class

set connection timeout tcp 12:00:00

476
Views
0
Helpful
4
Replies
CreatePlease to create content