RE: FWSM Global Service Policy change tcp connection timeout

From: Luan Nguyen (luan@t3technology.com)
Date: Tue Jul 01 2008 - 17:31:33 ART

• Next message: Jared Scrivener: "RE: does anyone fail???"
• Previous message: Luan Nguyen: "RE: FWSM Global Service Policy change tcp connection timeout"
• Maybe in reply to: Luan Nguyen: "RE: FWSM Global Service Policy change tcp connection timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If you have a short maintenance window then be extra careful with typos :)
class-map class1
 match access-list 101
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class class1
  set connection timeout tcp 0:00:00
 class inspection_default
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:73ee4e7e75c32043282d9c1d3f16f66f
: end
ASA2(config-pmap-c)# e
ASA2(config-pmap-c)#
ASA2(config-pmap-c)#
ASA2(config-pmap-c)# exit
ASA2(config-pmap)# exit
ASA2(config)# service-policy global_policy global
WARNING: Policy map global_policy is already configured as a service policy
ASA2(config)# no policy-map global_policy
ERROR: policy-map global_policy is being used and hence cannot be removed.

I forgot to put the global at the end and now the config looks mess up :)
and it's hard to fix.

-Luan

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Luan
Nguyen
Sent: Tuesday, July 01, 2008 4:22 PM
To: 'Lee Reade'; ccielab@groupstudy.com
Subject: RE: FWSM Global Service Policy change tcp connection timeout for 1
specific flow

There's only a little default traffics for inspection
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.ht
ml#wp1786414
You mistype a couple places, but yeah, if you are afraid, then remove it and
put it back afterward. Remember to paste back those inspect statements...or
just create a new global policy :)

-Luan

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Lee
Reade
Sent: Tuesday, July 01, 2008 3:49 PM
To: 'Luan Nguyen'; ccielab@groupstudy.com
Subject: RE: FWSM Global Service Policy change tcp connection timeout for 1
specific flow

Hi,

Thanks for the reply, however;

This is the default policy;

class-map inspection_default

 match default-inspection-traffic

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect smtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

service-policy global_policy global

The default tcp connection idle timeout applies to this policy-map, so if I
want to have a specific flow with idle timeout 0, then would I just create a
new class-map, match the flow with acl, and specify the connection settings?

I think I would also need to remove the default class, add the new one in,
then add the default back in again, so that the new one is hit first.

Access-list 101 per tcp host x.x.x.x host y.y.y.y eq z

Class-map class1

Match access-gr 101

policy-map global_policy

no class inspection_default

class-map class1

set connection timeout 0
class inspection_default
 
What do think?
 
I am not able to test this out, and will have a tight window when I go to
make the change, hence the reason im trying to clarify!!
 
Thanks
 
LR

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Luan
Nguyen
Sent: 01 July 2008 20:13
To: 'Lee Reade'; ccielab@groupstudy.com
Subject: RE: FWSM Global Service Policy change tcp connection timeout for 1
specific flow

I've never seen you have to use class default for the ASA or anything that

run PIXOS.

For example, if I want to allow BGP MD5 authentication for 2 peers, then I

would just create an ACL permit tcp host host eq bgp, match it and allow tcp

option 19 and disable the random-sequence-number. I don't need to do

anything else for the rest of the the bgp peer that pass through the ASA and

not using MD5 authentication.

You are going to apply the service-policy as global, you don't need to do

anything else.

-Luan

-----Original Message-----

From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Lee

Reade

Sent: Tuesday, July 01, 2008 2:35 PM

To: ccielab@groupstudy.com

Subject: FWSM Global Service Policy change tcp connection timeout for 1

specific flow

Hi,

I have an issue with an old database server that creates tcp connections via

a FWSM, and expects these sessions to never idle out, since the FWSM has a

default timeout of 60 mins for tcp we are having some issues with

connectivity. I want to config a class-map to match this specifc flow and

set the tcp connection timeout to 0.

Can anyone advise how to ensure that the other traffic will use the FWSM

default settings? Would I just config the class-default and set the

connections in there? Or will they automatically pick them up?

I will be applying this service-policy as global and not to a specific

interface.

I've checked on CCO but the config guide doesn't mention this, and I just

need some clarification.

Thanks very much,

LR

• Next message: Jared Scrivener: "RE: does anyone fail???"
• Previous message: Luan Nguyen: "RE: FWSM Global Service Policy change tcp connection timeout"
• Maybe in reply to: Luan Nguyen: "RE: FWSM Global Service Policy change tcp connection timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:53 ART