https://community.cisco.com/t5/network-security/embryonic-connections/m-p/1651501#M593881 <HTML><HEAD></HEAD><BODY><P>These are just timeout values for diff. types for connections "through" the firewall.</P><P>example:</P><P>After the default 1 hour timeout of a tcp connection, the 3 hour xlate timeout will kick in and after the total 4 hours, it will be removed from the table.</P><P></P><P><SPAN>You can read more here: </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870">http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870</A></P><P></P><P>-KS</P></BODY></HTML> Thu, 03 Feb 2011 17:18:29 GMT Kureli Sankar 2011-02-03T17:18:29Z https://community.cisco.com/t5/network-security/embryonic-connections/m-p/1651497#M593877 <P>Hi,</P><P></P><P>I'm looking for solid examples of how to implement limiting embryonic connections and/or other possible denial-of-service types of traffic such as half-closed, both through the firewall and to the firewall. I'm also looking for an example of how to use tcp dead connection detection. </P><P></P><P>We have a client who has had a router brought to its knees by this method and we are going to replace it with an ASA. Given the history, I'd like to not use the defaults and use more aggressive settings. For example, an embryonic connection minimum is 5 seconds and the default is 30 seconds.</P><P></P><P>Any solid examples will be most appreciated. Thanks.</P> Mon, 11 Mar 2019 19:36:59 GMT https://community.cisco.com/t5/network-security/embryonic-connections/m-p/1651497#M593877 lcaruso 2019-03-11T19:36:59Z https://community.cisco.com/t5/network-security/embryonic-connections/m-p/1651498#M593878 <HTML><HEAD></HEAD><BODY><P>Example to limit connections and set half-closed timeout:</P><P></P><P>policy-map per-client<BR /> class per-client-class<BR />&nbsp; set connection conn-max 80 embryonic-conn-max 10 per-client-max 10 per-client-embryonic-max 2</P><P>&nbsp; set connection half-closed 0:5:0 embryonic 0:0:6<BR />!<BR />ASA# sh run class-map per-client-class<BR />!<BR />class-map per-client-class<BR /> match access-list per-client<BR />!<BR />ASA# sh run access-l per-client<BR />access-list per-client extended permit ip host 192.168.2.3 any <BR />access-list per-client extended permit ip host 192.168.2.2 any</P><P><BR />ASA#sh run service-policy</P><P>service-policy per-client int inside</P><P></P><P><SPAN>Refer here: </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045">http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045</A></P><P></P><P>-KS</P></BODY></HTML> Wed, 19 Jan 2011 02:09:04 GMT https://community.cisco.com/t5/network-security/embryonic-connections/m-p/1651498#M593878 Kureli Sankar 2011-01-19T02:09:04Z https://community.cisco.com/t5/network-security/embryonic-connections/m-p/1651499#M593879 <HTML><HEAD></HEAD><BODY><P><EM>very good, thank you!</EM></P><P></P><P>I also was referred to these links by another party for anyone else interested in this topic</P><P></P><P><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";} </style> <![endif]--></P><P class="MsoNormal"><SPAN style="font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">Threat-detection:</SPAN></P><P></P><P class="MsoNormal"><A href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html"><SPAN style="font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html</SPAN></A></P><P></P><P class="MsoNormal"><SPAN style="font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"> </SPAN></P><P></P><P class="MsoNormal"><SPAN style="font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">Configuring Connection Limits and Timeouts:</SPAN></P><P></P><P></P><P class="MsoNormal"><A href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html"><SPAN style="font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html</SPAN></A></P><P></P><P class="MsoNormal"><SPAN style="font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"> </SPAN></P><P></P><P class="MsoNormal"><SPAN style="font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">Preventing network attacks.</SPAN></P><P></P><P></P><P class="MsoNormal"><A href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_protect.html"><SPAN style="font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_protect.html</SPAN></A></P></BODY></HTML> Wed, 19 Jan 2011 03:38:49 GMT https://community.cisco.com/t5/network-security/embryonic-connections/m-p/1651499#M593879 lcaruso 2011-01-19T03:38:49Z https://community.cisco.com/t5/network-security/embryonic-connections/m-p/1651500#M593880 <HTML><HEAD></HEAD><BODY><P>What do these default statements do--protect the firewall or protect connections through the firewall?</P><P></P><P>timeout xlate 3:00:00<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00</P></BODY></HTML> Thu, 03 Feb 2011 15:00:21 GMT https://community.cisco.com/t5/network-security/embryonic-connections/m-p/1651500#M593880 lcaruso 2011-02-03T15:00:21Z https://community.cisco.com/t5/network-security/embryonic-connections/m-p/1651501#M593881 <HTML><HEAD></HEAD><BODY><P>These are just timeout values for diff. types for connections "through" the firewall.</P><P>example:</P><P>After the default 1 hour timeout of a tcp connection, the 3 hour xlate timeout will kick in and after the total 4 hours, it will be removed from the table.</P><P></P><P><SPAN>You can read more here: </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870">http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870</A></P><P></P><P>-KS</P></BODY></HTML> Thu, 03 Feb 2011 17:18:29 GMT https://community.cisco.com/t5/network-security/embryonic-connections/m-p/1651501#M593881 Kureli Sankar 2011-02-03T17:18:29Z https://community.cisco.com/t5/network-security/embryonic-connections/m-p/1651502#M593882 <HTML><HEAD></HEAD><BODY><P>thanks for the explanation and the link.</P></BODY></HTML> Thu, 03 Feb 2011 17:43:33 GMT https://community.cisco.com/t5/network-security/embryonic-connections/m-p/1651502#M593882 lcaruso 2011-02-03T17:43:33Z