EasyManua.ls Logo

Cisco ASA 5508-X

Cisco ASA 5508-X
428 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
CHAPTER
16-1
Cisco ASA Series Firewall CLI Configuration Guide
16
Connection Settings
This chapter describes how to configure connection settings for connections that go through the ASA,
or for management connections that go to the ASA.
What Are Connection Settings?, page 16-1
Configure Connection Settings, page 16-2
Monitoring Connections, page 16-17
History for Connection Settings, page 16-18
What Are Connection Settings?
Connection settings comprise a variety of features related to managing traffic connections, such as a TCP
flow through the ASA. Some features are named components that you would configure to supply specific
services.
Connection settings include the following:
Global timeouts for various protocols—All global timeouts have default values, so you need to
change them only if you are experiencing premature connection loss.
Connection timeouts per traffic class—You can override the global timeouts for specific types of
traffic using service policies. All traffic class timeouts have default values, so you do not have to set
them.
Connection limits and TCP Intercept—By default, there are no limits on how many connections
can go through (or to) the ASA. You can set limits on particular traffic classes using service policy
rules to protect servers from denial of service (DoS) attacks. Particularly, you can set limits on
embryonic connections (those that have not finished the TCP handshake), which protects against
SYN flooding attacks. When embryonic limits are exceeded, the TCP Intercept component gets
involved to proxy connections and ensure that attacks are throttled.
Dead Connection Detection (DCD)—If you have persistent connections that are valid but often
idle, so that they get closed because they exceed idle timeout settings, you can enable Dead
Connection Detection to identify idle but valid connections and keep them alive (by resetting their
idle timers). Whenever idle times are exceeded, DCD probes both sides of the connection to see if
both sides agree the connection is valid. The show service-policy command includes counters to
show the amount of activity from DCD.

Table of Contents

Other manuals for Cisco ASA 5508-X

Related product manuals