!! Define the traffic that will require the custom timeout
access-list <Match-ACL-Name> extended permit <traffic-to-match>
!! Define the class-map with the match of the ACL above
class-map <Class-Map-Name>
match access-list <Match-ACL-Name>
!! Define the policy-map to be applied to an interface
!! Note: Only one policy-map can be defined per interface. If you have one already defined for an interface, add the 'class' and settings to the existing policy-map
policy-map <Policy-Map-Name>
class <Class-Map-Name>
set connection timeout idle <Timeout-in-HH:MM:SS-Format>
!! Note: Only one policy-map can be defined per interface. If you have one already defined for an interface, the following line is not necessary
service-policy <Policy-Map-Name> interface <interface> EXAMPLE CONFIGURATION
access-list SSH-24Hour-ACL extended permit tcp object-group SSH_24Hour_Hosts any eq 22
class-map SSH-24Hour-ClassMap
match access-list SSH-24Hour-ACL
policy-map inside-policy-map
class SSH-24Hour-ClassMap
set connection timeout idle 24:00:00
service-policy inside-policy-map interface inside Notes:
- See documentation for information regarding the interface direction
- This was designed for versions 8.3+ although it may work on version 8.2
router eigrp <as-num> !! as number must match on neighbors
no auto-summary
eigrp router-id 10.0.150.3 !! Name for defining the eigrp, name after interface IP
redistribute static !! redistribute static routes, can use policy map instead so not ALL statics are distributed
network 10.0.150.0 255.255.255.0 !! Directly connected network
network 4.2.2.128 255.255.255.248 !! Directly connected network
exit
!! configure static routes to point to the interface/IP that you want to monitor and stop advertising the routes when the interface goes down
route <int-to-watch> <network-to-advertise> <subnet> <ip-of-int-to-watch>show eigrp topology
show eigrp neighbors
debug eigrp neighbor
debug eigrp fsmPix 6
ca zeroize rsa
ca generate rsa key 1024
sh ca mypubkey rsa
ca save allPix 7+
crypto key zeroize rsa
crypto key generate rsa modulus 1024
sh crypto key mypubkey rsaNotes:
- The command "crypto key zeroize rsa" will remove certificates using the default keychain as well
show failover !! View current failover status, statistics, etc
show failover history !! View recent failover and sync history
show failover state !! View last failover reasons and informationpolicy-map type inspect esmtp tls-esmtp
parameters
allow-tls
no mask-banner !! may only be required if you notice issues related to the banner
policy-map global_policy
class inspection_default
no inspect esmtp
inspect esmtp tls-esmtp!! Enable the performance monitoring
asdm history enable
!! View data
show asdm history feature <all|blocks|cpu|failover|ids|interface|memory|perfmon|sas|tunnels|xlates>
show asdm history view <10m|60m|12h|5d|all> feature <all|blocks|cpu|failover|ids|interface|memory|perfmon|sas|tunnels|xlates>Notes:
- You can leave off the feature command to view ALL performance data
!! Most SPLAT Devices
echo "<NAT-IP> <Physical-Interface-MAC-Address>" >> $FWDIR/conf/local.arp
!! SPLAT Devices with VMAC mode enabled
echo "<NAT-IP> <Virtual-MAC-Address>" <Physical-Int-IP> >> $FWDIR/conf/local.arpNotes:
- AutoNATs normally do not require a proxy arp. Ensure "merge manual proxy arp configuration" is enabled in the Global Properties -> NAT
cphaconf set_ccp multicast !! Use Multicast (default mode, most efficient)
cphaconf set_ccp broadcast !! Use Unicast
cphaprob -a if !! Verify current mode and monitored interfaces