From: Luan Nguyen (luan@t3technology.com)
Date: Tue Jul 01 2008 - 17:21:43 ART
There's only a little default traffics for inspection
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.ht
ml#wp1786414
You mistype a couple places, but yeah, if you are afraid, then remove it and
put it back afterward. Remember to paste back those inspect statements...or
just create a new global policy :)
-Luan
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Lee
Reade
Sent: Tuesday, July 01, 2008 3:49 PM
To: 'Luan Nguyen'; ccielab@groupstudy.com
Subject: RE: FWSM Global Service Policy change tcp connection timeout for 1
specific flow
Hi,
Thanks for the reply, however;
This is the default policy;
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
The default tcp connection idle timeout applies to this policy-map, so if I
want to have a specific flow with idle timeout 0, then would I just create a
new class-map, match the flow with acl, and specify the connection settings?
I think I would also need to remove the default class, add the new one in,
then add the default back in again, so that the new one is hit first.
Access-list 101 per tcp host x.x.x.x host y.y.y.y eq z
Class-map class1
Match access-gr 101
policy-map global_policy
no class inspection_default
class-map class1
set connection timeout 0
class inspection_default
What do think?
I am not able to test this out, and will have a tight window when I go to
make the change, hence the reason im trying to clarify!!
Thanks
LR
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Luan
Nguyen
Sent: 01 July 2008 20:13
To: 'Lee Reade'; ccielab@groupstudy.com
Subject: RE: FWSM Global Service Policy change tcp connection timeout for 1
specific flow
I've never seen you have to use class default for the ASA or anything that
run PIXOS.
For example, if I want to allow BGP MD5 authentication for 2 peers, then I
would just create an ACL permit tcp host host eq bgp, match it and allow tcp
option 19 and disable the random-sequence-number. I don't need to do
anything else for the rest of the the bgp peer that pass through the ASA and
not using MD5 authentication.
You are going to apply the service-policy as global, you don't need to do
anything else.
-Luan
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Lee
Reade
Sent: Tuesday, July 01, 2008 2:35 PM
Subject: FWSM Global Service Policy change tcp connection timeout for 1
specific flow
Hi,
I have an issue with an old database server that creates tcp connections via
a FWSM, and expects these sessions to never idle out, since the FWSM has a
default timeout of 60 mins for tcp we are having some issues with
connectivity. I want to config a class-map to match this specifc flow and
set the tcp connection timeout to 0.
Can anyone advise how to ensure that the other traffic will use the FWSM
default settings? Would I just config the class-default and set the
connections in there? Or will they automatically pick them up?
I will be applying this service-policy as global and not to a specific
interface.
I've checked on CCO but the config guide doesn't mention this, and I just
need some clarification.
Thanks very much,
LR
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:52 ART