Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Re : To make ports never to timeout

Hi,

I would like to verify if the below is the right configuration for the ports not to time out,  therefore it will never timeout the connection.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

access-list ACL1-in extended permit tcp object-group Desktops_Users object-group AIC_Servers object-group AVAYA-AIC_agent_app
!
class-map AIC_Agent_Servers
   match access-list ACL1-in
!
policy-map AIC_Agent
    class AIC_Agent_Servers
         set connection timeout tcp 0
!
!
service-policy AIC_Agent global
!

!

Pls advice,

!

Cheers,
-SN-

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Re : To make ports never to timeout

That's absolutely correct except the last command where you have to apply the service-policy to a specific interface depending on the direction of the traffic, because I believe there should already be a global_policy by default applied to global policy as you can't apply 2 global policy globally.

If you check with "sh run service-policy", it will show you if you already have an existing policy. Otherwise, if you haven't had a global policy, you can apply it. Or else, just apply it to the specific interface.

Hope that helps.

4 REPLIES
Cisco Employee

Re: Re : To make ports never to timeout

That's absolutely correct except the last command where you have to apply the service-policy to a specific interface depending on the direction of the traffic, because I believe there should already be a global_policy by default applied to global policy as you can't apply 2 global policy globally.

If you check with "sh run service-policy", it will show you if you already have an existing policy. Otherwise, if you haven't had a global policy, you can apply it. Or else, just apply it to the specific interface.

Hope that helps.

Community Member

Re: Re : To make ports never to timeout

Hi Halijenn,

Yes you are right, there is an existing default global policy  on the ASA that is called global_policy.

So I would need to add this on the interface.

The difference that I see here that the service-policy would need to be entered on the interface without the input/output word compared if I were to enter

the service-policy on a router.

Thanks once again for your response.

Cheers,

-SN-

Community Member

Re: Re : To make ports never to timeout

Can i use the same commands to work under INTERFACE POLICY ?

Meaning, can i use same logic always for both global and interface policy ????

( i know only 1 will be active at one time, and if interface policy exists with global policy, interface policy takes precedence...! )

Community Member

Re: Re : To make ports never to timeout

Yeap,  the doco says you can and so does halijann. If you apply to the interface, it only effects at the interface level and if it is applied globally then it would effect all packets that hits all interfaces on the FW.

The other way that I can think of doing it is adding additional class-maps and then call it from the existing global policy.

I believe this should work as well.

Cheers,

-SN-

305
Views
0
Helpful
4
Replies
CreatePlease to create content