cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4310
Views
0
Helpful
14
Replies

Can you change the timeout settings on the ports on the Cisco ASA 5585?

Is there a way to change the timeout settings on a port on the Cisco ASA 5585? 

For example port 443, can I change the timeout to 150 minutes? 

Also is the default timeout 30 minutes for a port in the Cisco ASA?

14 Replies 14

Are you talking about connection-timeouts? That can be done with MPF.

yes for example in the ASDM I would be configuring a policy or access rule, when I try to configure a TCP port for example, I do not see any options to create a specific connection-timeout value. 

Samantha you can perform a "sh running-config all" and filtering for timeouts you will see all values.

Best regards

Pablo Costa

Netconsulting BR

yeah the user is requesting that a specific custom high TCP port number have a connection-timeout higher than the default 1 hour.  So I am wondering if I can create an access rule with this custom port to have a connection timeout higher than the default

You can create an access-list to match traffic then a class-map and set a a connection timeout specific for the class-map

examples

access-list teste permit tcp host X.X.X.X 

class-map test

match access-list teste

exit

policy-map global_policy

class test

set connection timeout tcp 1:0:0 reset

( something like this .. not testing this commands ;) )

I would be doing this via ASDM, NOT the CLI

I went into the ASDM and went into Add Access Rule, and I do not see an option to configured the connection timeout for the custom port I will be creating

Configuration --> Service policy Rules --> Add and follow the wizard ( see the picture attached please )

Ok I was able to go step by step through the Service Policy Wizard.  There was one statement in the Connection Timeout tab that I had a question about:

"Send reset to TCP endpoints before timeout"  What does that statement do? 

Also does configuring this service policy rule mess with any of the other traffic?  does this ONLY apply to the specific IP's and port I configure?  I will be applying the rule to an interface, so it should only affect the source and dest IP's and port I have configured correct? 

1 question : will send a RST flag for reset the connection ( this is for timeout connection ) you can see this working with "show conn | include X.X.X.X" command.

2 question : will respect the access-list that you created. Only for the matched traffic.

Best regards

Pablo Costa

Is the default timeout unlimited?

default is 1h for TCP traffic, you can't configure that per access-rule. You have to configure it with a service policy (MPF). The above link was for the CLI. Here is the config guide for ASDM: http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asdm76/firewall/asdm-76-firewall-config/conns-connlimits.html#ID-2068-00000456

I took a look at the global timeouts and that looks like it is for all ports

I am running ASA 9.2 asdm 7.3

yeah the user is requesting that a specific custom high TCP port number have a connection-timeout higher than the default 1 hour. So I am wondering if I can create an access rule with this custom port to have a connection timeout higher than the default

it is basically a specific high port number that they want a larger connection timeout instead of the default 1 hour

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: