Re: Change the IDLE timeout for a specific host

axa_tech_uk · ‎01-07-2011

Platform: FWSM 3.2(18)

I need to change the idle connection timeout for a specific host. I'm pretty sure the following policy will achieve this.

access-list CMS-TIMEOUT permit tcp any host 10.1.1.1

class-map CMS-TIMEOUT

match access-list CMS-TIMEOUT

policy-map CMS-TIMEOUT
class CMS-TIMEOUT
set connection timeout idle 4:0:0

service-policy conns interface outside

My question is, will the above policy override the global policy configuration applied to the outside interface. We only have the std default glovbal policy applied i.e. no other service policies are used?

Marcin Latosiewicz · ‎01-07-2011

Hi,

Long story short, your policy on interface takes precedence over global as it will be the first one to be hit.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/mpf_f.html#wp1137086

I might be wrong, but that's the way I recollect it.

Marcin

axa_tech_uk · ‎01-07-2011

Thanks for your reply, what I really mean, is will it be the only policy appilled i.e. will the global policy no longer be applied, or does the global policy always get applied and will always be processed. Assuming it is appllied globally?

Kureli Sankar · ‎01-07-2011

The global policy will be applied after the interface specific policy - which does take precedence.

-KS