C H A P T E R
11-1
Cisco ASA Series Firewall CLI Configuration Guide
11
Connection Settings
This chapter describes how to configure connection settings for connections that go through the ASA,
or for management connections that go to the ASA.
•
What Are Connection Settings?, page 11-1
•
Configure Connection Settings, page 11-2
•
Monitoring Connections, page 11-17
•
History for Connection Settings, page 11-18
What Are Connection Settings?
Connection settings comprise a variety of features related to managing traffic connections, such as a TCP
flow through the ASA. Some features are named components that you would configure to supply specific
services.
Connection settings include the following:
•
Global timeouts for various protocols
—All global timeouts have default values, so you need to
change them only if you are experiencing premature connection loss.
•
Connection timeouts per traffic class
—You can override the global timeouts for specific types of
traffic using service policies. All traffic class timeouts have default values, so you do not have to set
them.
•
Connection limits and TCP Intercept
—By default, there are no limits on how many connections
can go through (or to) the ASA. You can set limits on particular traffic classes using service policy
rules to protect servers from denial of service (DoS) attacks. Particularly, you can set limits on
embryonic connections (those that have not finished the TCP handshake), which protects against
SYN flooding attacks. When embryonic limits are exceeded, the TCP Intercept component gets
involved to proxy connections and ensure that attacks are throttled.
•
Dead Connection Detection (DCD)
—If you have persistent connections that are valid but often
idle, so that they get closed because they exceed idle timeout settings, you can enable Dead
Connection Detection to identify idle but valid connections and keep them alive (by resetting their
idle timers). Whenever idle times are exceeded, DCD probes both sides of the connection to see if
both sides agree the connection is valid. The
show service-policy
command includes counters to
show the amount of activity from DCD.
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...