Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Configuring Connection Settings

22-8

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter22 Configuring Connection Settings

Configuring Connection Settings

•Clear Selective Ack—Sets whether the selective-ack TCP option is allowed or cleared.

•Clear TCP Timestamp—Sets whether the TCP timestamp option is allowed or cleared.

•Clear Window Scale—Sets whether the window scale timestamp option is allowed or cleared.

•Range—Sets the valid TCP options ranges, which should fall within 6-7 and 9-255. The lower bound

should be less than or equal to the upper bound. Choose Allow or Drop for each range.

Step8 Click OK.

Configuring Connection Settings

To set connection settings, perform the following steps.

Detailed Steps

Step1 Configure a service policy on the Configuration > Firewall > Service Policy Rules pane according to

Chapter 1, “Configuring a Service Policy.”

You can configure connection limits as part of a new service policy rule, or you can edit an existing

service policy.

Step2 On the Rule Actions dialog box, click the Connection Settings tab.

Step3 To set maximum connections, configure the following values in the Maximum Connections area:

•TCP & UDP Connections—Specifies the maximum number of simultaneous TCP and UDP

connections for all clients in the traffic class, up to 2000000. The default is 0 for both protocols,

which means the maximum possible connections are allowed.

•Embryonic Connections—Specifies the maximum number of embryonic connections per host up to

2000000. An embryonic connection is a connection request that has not finished the necessary

handshake between source and destination. This limit enables the TCP Intercept feature. The default

is 0, which means the maximum embryonic connections. TCP Intercept protects inside systems from

a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the embryonic limit

has been surpassed, the TCP intercept feature intercepts TCP SYN packets from clients to servers

on a higher security level. SYN cookies are used during the validation process and help to minimize

the amount of valid traffic being dropped. Thus, connection attempts from unreachable hosts will

never reach the server.

•Per Client Connections—Specifies the maximum number of simultaneous TCP and UDP

connections for each client up to 2000000. When a new connection is attempted by a client that

already has opened the maximum per-client number of connections, the ASA rejects the connection

and drops the packet.

•Per Client Embryonic Connections—Specifies the maximum number of simultaneous TCP

embryonic connections for each client up to 2000000. When a new TCP connection is requested by

a client that already has the maximum per-client number of embryonic connections open through the

ASA, the ASA proxies the request to the TCP Intercept feature, which prevents the connection.

Step4 To configure connection timeouts, configure the following values in the TCP Timeout area:

•Connection Timeout—Specifies the idle time until a connection slot (of any protocol, not just TCP)

is freed. Enter 0:0:0 to disable timeout for the connection. This duration must be at least 5 minutes.

The default is 1 hour.

Cisco Systems Configuring Connection Settings