Connection Timeout; Enabling Tcp State Bypass - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 21
Configuring Advanced Connection Features
Connection Timeout
If there is no traffic on a given connection for 2 minutes, the connection times out. You can override this
default using the set connection timeout tcp command. Normal TCP connections timeout by default
after 60 minutes.
Enabling TCP State Bypass
To enable TCP state bypass, perform the following steps:
To identify the traffic for which you want to disable stateful firewall inspection, add a class map using
Step 1
the class-map command. See the
more information.
For example, you can match an access list:
hostname(config)# access list bypass extended permit tcp any 10.1.1.1 255.255.255.255
hostname(config)# class-map bypass_traffic
hostname(config-cmap)# match access-list bypass
To add or edit a policy map that sets the actions to take with the class map traffic, enter the following
Step 2
commands:
hostname(config)# policy-map name
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
where the class_map_name is the class map from
For example:
hostname(config)# policy-map tcp_bypass_policy
hostname(config-pmap)# class bypass_traffic
hostname(config-pmap-c)#
Enable TCP state bypass by entering the following command:
Step 3
hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass
Step 4
Activate the policy map on one or more interfaces by entering the following command:
hostname(config)# service-policy policymap_name {global | interface interface_name}
Where global applies the policy map to all interfaces, and interface applies the policy to one interface.
Only one global policy is allowed. You can override the global policy on an interface by applying a
service policy to that interface. You can only apply one policy map to each interface.
If you use the show conn command, the display for connections that use TCP state bypass includes the
Note
flag "b."
The following is an example configuration for TCP state bypass:
hostname(config)# access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.0
10.2.1.0 255.255.255.0
hostname(config)# class-map tcp_bypass
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
"Identifying Traffic (Layer 3/4 Class Map)" section on page 20-4
Step
1.
Configuring TCP State Bypass
for
21-13
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
