Configure Connection Settings For Specific Traffic Classes (All Services) - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Configure Connection Settings
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you
want to edit the global_policy, enter global_policy as the policy name. For the class map, specify the
class you created earlier in this procedure.
Disable TCP sequence number randomization on the class.
Step 3
set connection random-sequence-number disable
If you later decide to turn it back on, replace "disable "with enable.
If you are editing an existing service policy (such as the default global policy called global_policy), you
Step 4
are done. Otherwise, activate the policy map on one or more interfaces.
service-policy policymap_name {global | interface interface_name}
Example:
hostname(config)# service-policy global_policy global
The global keyword applies the policy map to all interfaces, and interface applies the policy to one
interface. Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
Configure Connection Settings for Specific Traffic Classes (All Services)
You can configure different connection settings for specific traffic classes using service policies. Use
service policies to:
•
•
•
•
•
•
You can configure any combination of these settings for a given traffic class, except for TCP State
Bypass and TCP Normalizer customization, which are mutually exclusive.
This procedure shows a service policy for traffic that goes through the ASA. You can also configure the
Tip
connection maximum and embryonic connection maximum for management (to the box) traffic.
Before You Begin
If you want to customize the TCP Normalizer, create the required TCP Map before proceeding.
Cisco ASA Series Firewall CLI Configuration Guide
16-14
Customize connection limits and timeouts used to protect against DoS and SYN-flooding attacks.
Implement Dead Connection Detection so that valid but idle connections remain alive.
Disable TCP sequence number randomization in cases where you do not need it.
Customize how the TCP Normalizer protects against abnormal TCP packets.
Implement TCP State Bypass for traffic subject to asynchronous routing. Bypass traffic is not
subject to inspection.
Decrement time-to-live (TTL) on packets so that the ASA will show up on trace route output.
If you decrement time to live, packets with a TTL of 1 will be dropped, but a connection will
Note
be opened for the session on the assumption that the connection might contain packets with
a greater TTL. Note that some packets, such as OSPF hello packets, are sent with TTL = 1,
so decrementing time to live can have unexpected consequences.
Chapter 16
Connection Settings
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
