Configuration examples for tcp state bypass, Configuration examples for tcp normalization – Cisco ASA 5505 User Manual
Page 1143
53-15
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 53 Configuring Connection Settings
Configuration Examples for Connection Settings
Configuration Examples for Connection Limits and Timeouts
The following example sets the connection limits and timeouts for all traffic:
hostname(config)# class-map CONNS
hostname(config-cmap)# match any
hostname(config-cmap)# policy-map CONNS
hostname(config-pmap)# class CONNS
hostname(config-pmap-c)# set connection conn-max 1000 embryonic-conn-max 3000
hostname(config-pmap-c)# set connection timeout idle 2:0:0 embryonic 0:40:0 half-closed
0:20:0 dcd
hostname(config-pmap-c)# service-policy CONNS interface outside
You can enter set connection commands with multiple parameters or you can enter each parameter as a
separate command. The ASA combines the commands into one line in the running configuration. For
example, if you entered the following two commands in class configuration mode:
hostname(config-pmap-c)# set connection conn-max 600
hostname(config-pmap-c)# set connection embryonic-conn-max 50
the output of the show running-config policy-map command would display the result of the two
commands in a single, combined command:
set connection conn-max 600 embryonic-conn-max 50
Configuration Examples for TCP State Bypass
The following is a sample configuration for TCP state bypass:
hostname(config)# access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.224 any
hostname(config)# class-map tcp_bypass
hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"
hostname(config-cmap)# match access-list tcp_bypass
hostname(config-cmap)# policy-map tcp_bypass_policy
hostname(config-pmap)# class tcp_bypass
hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass
hostname(config-pmap-c)# service-policy tcp_bypass_policy outside
hostname(config-pmap-c)# static (inside,outside) 209.165.200.224 10.1.1.0 netmask
255.255.255.224
Configuration Examples for TCP Normalization
For example, to allow urgent flag and urgent offset packets for all traffic sent to the range of TCP ports
between the well known FTP data port and the Telnet port, enter the following commands:
hostname(config)# tcp-map tmap
hostname(config-tcp-map)# urgent-flag allow
hostname(config-tcp-map)# class-map urg-class
hostname(config-cmap)# match port tcp range ftp-data telnet
hostname(config-cmap)# policy-map pmap
hostname(config-pmap)# class urg-class
hostname(config-pmap-c)# set connection advanced-options tmap
hostname(config-pmap-c)# service-policy pmap global