Cisco ASA 5506-X Configuration Manual page 257
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Connection Settings
This chapter describes how to configure connection settings for connections that go through the ASA,
or for management connections that go to the ASA.
•
•
•
•
What Are Connection Settings?
Connection settings comprise a variety of features related to managing traffic connections, such as a TCP
flow through the ASA. Some features are named components that you would configure to supply specific
services.
Connection settings include the following:
•
•
•
•
What Are Connection Settings?, page 11-1
Configure Connection Settings, page 11-2
Monitoring Connections, page 11-17
History for Connection Settings, page 11-18
Global timeouts for various protocols—All global timeouts have default values, so you need to
change them only if you are experiencing premature connection loss.
Connection timeouts per traffic class—You can override the global timeouts for specific types of
traffic using service policies. All traffic class timeouts have default values, so you do not have to set
them.
Connection limits and TCP Intercept—By default, there are no limits on how many connections
can go through (or to) the ASA. You can set limits on particular traffic classes using service policy
rules to protect servers from denial of service (DoS) attacks. Particularly, you can set limits on
embryonic connections (those that have not finished the TCP handshake), which protects against
SYN flooding attacks. When embryonic limits are exceeded, the TCP Intercept component gets
involved to proxy connections and ensure that attacks are throttled.
Dead Connection Detection (DCD)—If you have persistent connections that are valid but often
idle, so that they get closed because they exceed idle timeout settings, you can enable Dead
Connection Detection to identify idle but valid connections and keep them alive (by resetting their
idle timers). Whenever idle times are exceeded, DCD probes both sides of the connection to see if
both sides agree the connection is valid. The show service-policy command includes counters to
show the amount of activity from DCD.
C H A P T E R
Cisco ASA Series Firewall CLI Configuration Guide
11
11-1
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
