Filter
Top Products
27-8
Cisco ASDM User Guide
OL-16647-01
Chapter 27 Configuring Advanced Firewall Protection
Configuring Connection Settings
Step 1 Configure a service policy on the Configuration > Firewall > Service Policy Rules pane according to
Chapter 22, “Configuring Service Policy Rules.”
You can configure connection limits as part of a new service policy rule, or you can edit an existing
service policy.
Step 2 On the Rule Actions dialog box, click the Connection Settings tab.
Step 3 To set maximum connections, configure the following values in the Maximum Connections area:
• TCP & UDP Connections—Specifies the maximum number of simultaneous TCP and UDP
connections for all clients in the traffic class, up to 65,536. The default is 0 for both protocols, which
means the maximum possible connections are allowed.
• Embryonic Connections—Specifies the maximum number of embryonic connections per host up to
65,536. An embryonic connection is a connection request that has not finished the necessary
handshake between source and destination. This limit enables the TCP Intercept feature. The default
is 0, which means the maximum embryonic connections. TCP Intercept protects inside systems from
a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the embryonic limit
has been surpassed, the TCP intercept feature intercepts TCP SYN packets from clients to servers
on a higher security level. SYN cookies are used during the validation process and help to minimize
the amount of valid traffic being dropped. Thus, connection attempts from unreachable hosts will
never reach the server.
• Per Client Connections—Specifies the maximum number of simultaneous TCP and UDP
connections for each client. When a new connection is attempted by a client that already has opened
the maximum per-client number of connections, the security appliance rejects the connection and
drops the packet.
• Per Client Embryonic Connections—Specifies the maximum number of simultaneous TCP
embryonic connections for each client. When a new TCP connection is requested by a client that
already has the maximum per-client number of embryonic connections open through the security
appliance, the security appliance proxies the request to the TCP Intercept feature, which prevents
the connection.
Step 4 To configure TCP timeouts, configure the following values in the TCP Timeout area:
• Connection Timeout—Specifies the idle time until a connection slot is freed. Enter 0:0:0 to disable
timeout for the connection. This duration must be at least 5 minutes. The default is 1 hour.
• Send reset to TCP endpoints before timeout—Specifies that the security appliance should send a
TCP reset message to the endpoints of the connection before freeing the connection slot.
• Embryonic Connection Timeout—Specifies the idle time until an embryonic connection slot is
freed. Enter 0:0:0 to disable timeout for the connection. The default is 30 seconds.
• Half Closed Connection Timeout—Specifies the idle time until a half closed connection slot is freed.
Enter 0:0:0 to disable timeout for the connection. This duration must be at least 5 minutes. The
default is 10 minutes.
Step 5 To disable randomized sequence numbers, uncheck Randomize Sequence Number.
TCP initial sequence number randomization can be disabled if another in-line firewall is also
randomizing the initial sequence numbers, because there is no need for both firewalls to be performing
this action. However, leaving ISN randomization enabled on both firewalls does not affect the traffic.
Each TCP connection has two ISNs: one generated by the client and one generated by the server. The
security appliance randomizes the ISN of the TCP SYN passing in the outbound direction. If the
connection is between two interfaces with the same security level, then the ISN will be randomized in
the SYN in both directions.