Procedure to add https timeout in PIX 501

baggio8
baggio8 used Ask the Experts™
on
I have a Cisco PIX 501.  6.3(5)
I need to create a https timeout for 1:00:00 to work with iphone activesync in Exchange.
I'm not quite sure how to add this.  I'm a novice, so I would want to add any commands through the PDM Command Line Interface.  Running config is attached.  Thanks experts!
write-20term.txt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
you only able to finetuning tcp, and xlate timeouts:

(config)# timeout ?

configure mode commands/options:
  conn                   Configure idle time after which a TCP connection state
                         will be closed, default is 1:00:00
  h225                   Configure idle time after which an H.225 signaling
                         conn will be closed, default is 1:00:00
  h323                   Configure idle time after which an H.323 control
                         connection will be closed, default is 0:05:00
  half-closed            Configure idle time after which a TCP half-closed
                         connection will be freed, default is 0:10:00
  icmp                   Configure idle timeout for ICMP, default is 0:00:02
  mgcp                   Configure idle time after which an MGCP media
                         connection will be closed, default is 0:05:00
  mgcp-pat               Configure the time after which an MGCP PAT Xlate will
                         be removed, default is 0:05:00
  sip                    Configure idle time after which a SIP control
                         connection will be closed, default is 0:30:00
  sip-disconnect         Configure idle timeout after which SIP session is
                         deleted if 200 OK is not received for a CANCEL or BYE
                         message, default s 0:02:00
  sip-invite             Configure idle time after which pinholes for
                         PROVISIONAL responsesand media xlates will be closed,
                         default is 0:03:00
  sip-provisional-media  Configure idle time after which a SIP provisional
                         Media connection will be closed, default is 0:02:00
  sip_media              Configure idle time after which a SIP Media connection
                         will be closed, default is 0:02:00
  sunrpc                 Configure idle time after which a SUNRPC slot will be
                         closed, default is 0:10:00
  uauth                  Configure idle time after which an authentication will
                         no longer be cached and the user will need to
                         re-authenticate on their connection, default is
                         0:05:00. The default uauth timer is absolute.
  udp                    Configure idle time after which general UDP states
                         will be closed, default is 0:02:00, This timer does
                         not apply to DNS or SUNRPC
  xlate                  Configure idle time after which a dynamic address will
                         be returned to the free pool, default is 3:00:00

there is an example:
http://www.eventid.net/firegen/pixconfig-2004-03-17-220752.html#configuration

BEst regards,
Istvan

Author

Commented:
Thank you for your response Istvan, but I'm not sure if you mean I can not configure a command for this.  What do you recommend to accomplish what I need to do and how would I do it?

Thanks!
Jody LemoineNetwork Architect

Commented:
You're going to need to make adjustments in two places for this if your ActiveSync server is behind one of the PIX's NAT translations.  First, you're going to need to make sure that the ActiveSync server itself will permit one-hour timeouts.  Second, you'll need to configure the connection timeouts for NAT on the PIX with the "timeout conn 1:00:00" configuration command.
Commented:
I wasn't able to resolve the issue with Experts Exchange and opened a case with Cisco to resolve it.  Problem was fixed, but I'm not exactly clear on the details.  Something on the pix and there was a filter setting in the iis isapi blocking the requests.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial