04-26-2007 07:21 PM - edited 03-11-2019 03:05 AM
Hi,
I have to audit a PIX 515 to meet the below requirements. Can anyone please let me know what the config would look like or point me to the relevant docos to make the PIX compliant.
Thanks
Scott
TCP Start Time Out must be set to 60 seconds.
TCP Session Time Out must be set to 3600 seconds.
TCP End Time Out must be set to 20 seconds.
UDP Time Out must be set to 40 seconds.
ICMP Time Out must be set to 30 seconds.
?Out of state? TCP, UDP and ICMP packets must be dropped and the associated error must be logged.
04-26-2007 07:38 PM
Hello scott,
I think you need to configure the following command to change these timeout values:
timeout {xlate | conn | udp | icmp | rpc | h225 | h323 | mgcp | mgcp-pat | sip | sip_media} hh:mm:ss
timeout uauth hh:mm:ss [absolute | inactivity]
The configuration guide describes you everything with respect to this command:
the default values are also given... hence for ex, if u want to change the tcp session timeout value to 3600 secs, u need to use,
timeout xlate 1:0:0
similarly you can tweak the values of UDP, ICMP timers,
Hope this helps.. all the best.. rate replies if found useful..
Raj
04-26-2007 07:52 PM
Hi Raj,
Thanks for that. I supected those commmands but I can not match up:
TCP Start Time
TCP End Time
And how do I set it to drop Out of state packets?
Thanks,
Scott
This what we have at present.
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
04-26-2007 08:03 PM
Scott,
i'm really not sure if there are specific commands to block out of state tcp.. i thought pix does this by default.. if there are no syn messages for the tcp request, the pix will not process the request.. anyway, the pix might log it in the buffer, if you have configured... check for "logging" commands on CCO and you can find a lot of info on this. u can also direct it to a syslog server if required....
regarding tcp start/end time, no ideas mate :)
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide