16-15
Cisco ASA Series Firewall CLI Configuration Guide
 
Chapter 16      Connection Settings
  Configure Connection Settings
The set connection command (for connection limits and sequence randomization) and set connection 
timeout commands are described here separately for each parameter. However, you can enter the 
commands on one line, and if you enter them separately, they are shown in the configuration as one 
command.
Procedure
Step 1 Create an L3/L4 class map to identify the traffic for which you want to customize connection settings.
class-map name 
match parameter
Example: 
hostname(config)# class-map CONNS
hostname(config-cmap)# match any
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps), page 11-13.
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic, and identify the class 
map.
policy-map name
class name
Example: 
hostname(config)# policy-map global_policy
hostname(config-pmap)# class CONNS 
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you 
want to edit the global_policy, enter global_policy as the policy name. For the class map, specify the 
class you created earlier in this procedure.
Step 3 Set connection limits and TCP sequence number randomization. (TCP Intercept.)
• set connection conn-max n—The maximum number of simultaneous TCP or UDP connections that 
are allowed, between 0 and 2000000, for the entire class. The default is 0, which allows unlimited 
connections.
–
If two servers are configured to allow simultaneous TCP or UDP connections, the connection 
limit is applied to each configured server separately.
–
Because the limit is applied to a class, one attack host can consume all the connections and leave 
none for the rest of the hosts that are matched to the class.
• set connection embryonic-conn-max n—The maximum number of simultaneous embryonic 
connections allowed, between 0 and 2000000. The default is 0, which allows unlimited connections. 
By setting a non-zero limit, you enable TCP Intercept, which protects inside systems from a DoS 
attack perpetrated by flooding an interface with TCP SYN packets. Also set the per-client options 
to protect against SYN flooding.
• set connection per-client-embryonic-max n—The maximum number of simultaneous embryonic 
connections allowed per client, between 0 and 2000000. The default is 0, which allows unlimited 
connections.
• set connection per-client-max n—The maximum number of simultaneous connections allowed per 
client, between 0 and 2000000. The default is 0, which allows unlimited connections. This argument 
restricts the maximum number of simultaneous connections that are allowed for each host that is 
matched to the class.