https://community.cisco.com/t5/network-security/tcp-connection-limit/m-p/2687228#M190801 <P>Hi,</P><P>You can refer to this document for the complete configuration that you would need:-</P><P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/protect.html</P><P>You need to use the <B class="cKeyword">"per-client-max </B> <EM class="cEmphasis"> n" value set to 500</EM></P><P><EM class="cEmphasis">Refer:-</EM></P><P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html#pgfId-1627430</P><P>Example configuration:-</P><P>&nbsp;</P><P>hostname(config)# class-map CONNS</P><P>hostname(config-cmap)# match any</P><P>hostname(config-cmap)# policy-map CONNS</P><P>hostname(config-pmap)# class CONNS</P><P>hostname(config-pmap-c)# set connection <B class="cKeyword">per-client-max 500</B></P><P>hostname(config-pmap-c)# service-policy CONNS interface outside</P><P>NOTE:- Match the specific traffic that you want to match this limit restriction onto.</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Wed, 10 Jun 2015 09:27:53 GMT Vibhor Amrodia 2015-06-10T09:27:53Z https://community.cisco.com/t5/network-security/tcp-connection-limit/m-p/2687227#M190800 <P><SPAN style="color: rgb(0, 0, 0); font-family: Tahoma; font-size: 13.3333330154419px; line-height: normal;">Hi,</SPAN></P><DIV style="color: rgb(0, 0, 0); font-family: Tahoma; font-size: 13.3333330154419px; line-height: normal;">I would like to limit scanning and syn flooding on ASA. I am thinking I can restrict&nbsp;any outside host to only be able to initiate maximum 500 tcp connections total to inside host at a given time it would help prevent syn flood and port scan attacks.&nbsp;</DIV><DIV style="color: rgb(0, 0, 0); font-family: Tahoma; font-size: 13.3333330154419px; line-height: normal;">&nbsp;</DIV><DIV style="color: rgb(0, 0, 0); font-family: Tahoma; font-size: 13.3333330154419px; line-height: normal;">Anyone else done this so please share config. Any other suggestion for scanning and syn-flood attack prevention?</DIV><DIV style="color: rgb(0, 0, 0); font-family: Tahoma; font-size: 13.3333330154419px; line-height: normal;">&nbsp;</DIV><DIV style="color: rgb(0, 0, 0); font-family: Tahoma; font-size: 13.3333330154419px; line-height: normal;">Thanks</DIV><P>&nbsp;</P> Tue, 12 Mar 2019 06:04:42 GMT https://community.cisco.com/t5/network-security/tcp-connection-limit/m-p/2687227#M190800 S891 2019-03-12T06:04:42Z https://community.cisco.com/t5/network-security/tcp-connection-limit/m-p/2687228#M190801 <P>Hi,</P><P>You can refer to this document for the complete configuration that you would need:-</P><P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/protect.html</P><P>You need to use the <B class="cKeyword">"per-client-max </B> <EM class="cEmphasis"> n" value set to 500</EM></P><P><EM class="cEmphasis">Refer:-</EM></P><P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html#pgfId-1627430</P><P>Example configuration:-</P><P>&nbsp;</P><P>hostname(config)# class-map CONNS</P><P>hostname(config-cmap)# match any</P><P>hostname(config-cmap)# policy-map CONNS</P><P>hostname(config-pmap)# class CONNS</P><P>hostname(config-pmap-c)# set connection <B class="cKeyword">per-client-max 500</B></P><P>hostname(config-pmap-c)# service-policy CONNS interface outside</P><P>NOTE:- Match the specific traffic that you want to match this limit restriction onto.</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Wed, 10 Jun 2015 09:27:53 GMT https://community.cisco.com/t5/network-security/tcp-connection-limit/m-p/2687228#M190801 Vibhor Amrodia 2015-06-10T09:27:53Z