Configuring Connection Limits and Timeouts
configuration. If you configure these settings for the same traffic using both methods, then the FWSM
uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the
FWSM disables TCP sequence randomization.
NAT also lets you configure embryonic connection limits, which triggers TCP Intercept to prevent a DoS
attack. To configure connection limits, TCP randomization, and embryonic limits, see
"Configuring NAT."
To set connection limits and timeouts, perform the following steps:
To identify the traffic, add a class map using the class-map command. See the
Step 1
(Layer 3/4 Class Map)" section on page 20-4
For example, you can match all traffic using the following commands:
hostname(config)# class-map CONNS
hostname(config-cmap)# match any
To match specific traffic, you can match an access list:
hostname(config)# access list CONNS extended permit ip any 10.1.1.1 255.255.255.255
hostname(config)# class-map CONNS
hostname(config-cmap)# match access-list CONNS
Note
To add or edit a policy map that sets the actions to take with the class map traffic, enter the following
Step 2
commands:
hostname(config)# policy-map name
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
where the class_map_name is the class map from
For example:
hostname(config)# policy-map CONNS
hostname(config-pmap)# class CONNS
hostname(config-pmap-c)#
Step 3
To set maximum connection limits, connection rate limit, or whether TCP sequence randomization is
enabled, enter the following command:
hostname(config-pmap-c)# set connection {[conn-max n] [conn-rate-limit n]
[random-sequence-number {enable | disable}]}
where the conn-max n argument sets the maximum number of simultaneous TCP and/or UDP
connections that are allowed, between 0 and 65535. The default is 0, which means no limit on
connections.
The conn-rate-limit n argument sets the maximum TCP and/or UDP connections per second between 0
and 65535. The default is 0, which means no limit on the connection rate.
The random-sequence-number {enable | disable} keyword enables or disables TCP sequence number
randomization.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
21-2
In 3.x, when you used the set connection command for an access list (match access-list), then
connection settings were applied to each individual ACE; in 4.0, connection settings are applied
to the access list as a whole.
Chapter 21
Configuring Advanced Connection Features
for more information.
Step
1.
Chapter 16,
"Identifying Traffic
OL-20748-01