Cisco Systems ASA 5540 Network Router User Manual


  Open as PDF
of 2086
 
57-9
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 57 Configuring Connection Settings
Configuring Connection Settings
Connection Timeout—Specifies the idle time until a connection slot (of any protocol, not just TCP)
is freed. Enter 0:0:0 to disable timeout for the connection. This duration must be at least 5 minutes.
The default is 1 hour.
Send reset to TCP endpoints before timeout—Specifies that the ASA should send a TCP reset
message to the endpoints of the connection before freeing the connection slot.
Embryonic Connection Timeout—Specifies the idle time until an embryonic connection slot is
freed. Enter 0:0:0 to disable timeout for the connection. The default is 30 seconds.
Half Closed Connection Timeout—Specifies the idle time until a half closed connection slot is freed.
Enter 0:0:0 to disable timeout for the connection. This duration must be at least 5 minutes. The
default is 10 minutes.
Step 5 To disable randomized sequence numbers, uncheck Randomize Sequence Number.
TCP initial sequence number randomization can be disabled if another in-line firewall is also
randomizing the initial sequence numbers, because there is no need for both firewalls to be performing
this action. However, leaving ISN randomization enabled on both firewalls does not affect the traffic.
Each TCP connection has two ISNs: one generated by the client and one generated by the server. The
security appliance randomizes the ISN of the TCP SYN passing in the outbound direction. If the
connection is between two interfaces with the same security level, then the ISN will be randomized in
the SYN in both directions.
Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new
connection and potentially hijacking the new session.
Step 6 To configure TCP normalization, check Use TCP Map. Choose an existing TCP map from the
drop-down list (if available), or add a new one by clicking New.
The Add TCP Map dialog box appears. See the “Customizing the TCP Normalizer with a TCP Map”
section on page 57-6.
Step 7 Click OK.
Step 8 To set the time to live, check Decrement time to live for a connection.
Step 9 To enable TCP state bypass, in the Advanced Options area, check TCP State Bypass.
Step 10 Click OK or Finish.
Configuring Global Timeouts
The Configuration > Firewall > Advanced > Global Timeouts pane lets you set the timeout durations for
use with the ASA. All durations are displayed in the format hh:mm:ss. It sets the idle time for the
connection and translation slots of various protocols. If the slot has not been used for the idle time
specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60
seconds after a normal connection close sequence.
Fields
In all cases, except for Authentication absolute and Authentication inactivity, unchecking the check
boxes means there is no timeout value. For those two cases, clearing the check box means to
reauthenticate on every new connection.
Connection—Modifies the idle time until a connection slot is freed. Enter 0:0:0 to disable timeout
for the connection. This duration must be at least 5 minutes. The default is 1 hour.