topic Re: Securing ASA outside Interface by restricting tcp connections to outside IP in Network Security

Securing ASA outside Interface by restricting tcp connections to outside IP

Jay47110 — Mon, 12 Oct 2020 13:14:05 GMT

Hi,

I have an ASA 5516-X used to provide remote access VPN solution to clients. Since the outside interface is webvpn enabled I am trying to avoid DDOS attacks to the outside IP by restriction the number of tcp connection attempts to-the-box. I have used mpf to implement the following:

access-list limit-conn-outside extended permit ip any host (ASA outside interface IP)

class-map CMAP

match limit-conn-outside

policy-map PMAP

class CMAP

set connection conn-max 600 embryonic-conn-max 900 per-client-max 20 per-client-embryonic-max 30

service policy PMAP interface outside

However, In the "show service-policy interface outside" I am unable to see the current conn stats. Although the ASA currently has several webvpn connections to its outside IP address on port 443, the show command does not display the current number of conns at all. Which makes me this that the service policy is not working somehow.

Interface outside:
Service-policy: PMAP
Class-map: CMAP
Set connection policy: conn-max 600 embryonic-conn-max 900 per-client-max 20 per-client-embryonic-max 30
current embryonic conns 0, current conns 0, drop 0

Is there something I am missing from the config?

Re: Securing ASA outside Interface by restricting tcp connections to outside IP

Marius Gunnerud — Mon, 12 Oct 2020 10:08:51 GMT

As this match happens after NAT has taken place you need to specify the internal IPs or subnet in the ACL.

Re: Securing ASA outside Interface by restricting tcp connections to outside IP

Jay47110 — Mon, 12 Oct 2020 10:51:25 GMT

Hi Marius,

I'm trying to restrict inbound connections from external IPs to the ASA's outside Interface IP. As ASA is designated for Remote access VPNs no NAT is configured on it.

Re: Securing ASA outside Interface by restricting tcp connections to outside IP

Marius Gunnerud — Mon, 12 Oct 2020 10:55:44 GMT

So you are trying to limit the number of remote access VPN users that connect to the ASA?

Re: Securing ASA outside Interface by restricting tcp connections to outside IP

Jay47110 — Mon, 12 Oct 2020 13:16:41 GMT

Not really the number of users as that is dictates by the licence but the number of active connections to-the-box. As from what I've researched a successful remote access VPN connection will create only create 2 connections i.e. 1x TCP(TLS) and 1x UDP(DTLS) to the ASA's outside interface IP. And since my ASA is not used for anything else apart from remote access VPN, I want to only allow a restricted number of inbound to-the-box connections in an attempt to avoid DDOS attacks. For example, someone trying to DDOS by brute forcing authentication on the webvpn login page using random username and passwords.

Hope that makes sense.

Re: Securing ASA outside Interface by restricting tcp connections to outside IP

Jay47110 — Wed, 14 Oct 2020 12:10:42 GMT

Update: Cisco ASA does not offer CPP (Control plane policing) therefore DDOS protection cannot be configured using the MPF method shown in the OP. That method is used to protect traffic traversing through the ASA and not to the ASA.

Thanks to Mohammed al Baqari for the insight.