6-11
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 6 Configuring Basic Settings
Configuring Connection Limits for Non-NAT Configurations
To set connection limits for the inside interface (transparent mode) or for any same security interface,
enter the following command:
FWSM/contexta(config)# static (
inside_interface,outside_interface
)
local_ip_address
local_ip_address
netmask
mask
[norandomseq] [[tcp]
tcp_max_conns
[
emb_limit
]]
[udp
udp_max_conns
]
Enter the same IP address for both local_ip_address options.
Set one or more of the following options:
• norandomseq—No TCP Initial Sequence Number (ISN) randomization. Only use this option if
another in-line firewall is also randomizing sequence numbers and the result is scrambling the data.
See the “Security Level Overview” section on page 6-6 for information about TCP sequence
numbers.
• tcp tcp_max_conns, udp udp_max_conns—The maximum number of simultaneous TCP and/or
UDP connections for the entire subnet up to 65,536. The default is 0 for both protocols, which means
the maximum connections.
• emb_limit—The maximum number of embryonic connections per host up to 65,536. An embryonic
connection is a connection request that has not finished the necessary handshake between source and
destination. This limit enables the TCP Intercept feature. (See the “Other Protection Features”
section on page 1-6 for more information.) The default is 0, which means the maximum embryonic
connections. You must enter the tcp tcp_max_conns before you enter the emb_limit. If you want to
use the default value for tcp_max_conns, but change the emb_limit, then enter 0 for tcp_max_conns.
For example, to set options for the host 10.1.1.1, enter the following command:
FWSM/contexta(config)# static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255
norandomseq tcp 1000 200 udp 1000
To Next Page
Loading...
Need help?
General