https://community.cisco.com/t5/network-security/zone-based-firewall-asr1002/m-p/1960691#M434910 <HTML><HEAD></HEAD><BODY><P>Shuai Yu: I guess it depends on what you are trying to achive, maybe they have a http-server of something...</P><P></P><P>jackwikiski: Your parameter-maps confuses me because they don't have a name? Or is it because they are global so you don't need a name?</P><P></P><P>Anyway, try this:</P><P></P><P>parameter-map type inspect ANTI-DDOS_PARMAP</P><P>&nbsp; session total 99000</P><P>&nbsp; alert on</P><P>&nbsp; per-box tcp syn-flood limit 2000</P><P>&nbsp; per-box max-incomplete tcp 2000</P><P>&nbsp; per-box max-incomplete udp 500</P><P>&nbsp; per-box max-incomplete icmp 500</P><P></P><P>policy-map type inspect ddos-fw</P><P> class type inspect ddos-class</P><P>&nbsp; inspect ANTI-DDOS_PARMAP</P></BODY></HTML> Mon, 04 Jun 2012 20:17:52 GMT Henrik Grankvist 2012-06-04T20:17:52Z https://community.cisco.com/t5/network-security/zone-based-firewall-asr1002/m-p/1960689#M434908 <P>Hi All,</P><P></P><P>We are trying to implement the ZBF on our router to assist us in limiting the intial impact of DDOS attacks.</P><P>We have configured the below and it appears that it's not working, as when un der attack the statistics don't increae.</P><P></P><P>Any assistance would be greatly appreciated:</P><P></P><P></P><P>parameter-map type inspect global</P><P> session total 99000</P><P> alert on</P><P> per-box tcp syn-flood limit 2000</P><P> per-box max-incomplete tcp 2000</P><P> per-box max-incomplete udp 500</P><P> per-box max-incomplete icmp 500</P><P></P><P>class-map type inspect match-any ddos-class</P><P></P><P>match protocol tcp</P><P>match protocol UDP</P><P>match protocol icmp</P><P></P><P>parameter-map type inspect global</P><P></P><P>policy-map type inspect ddos-fw</P><P></P><P>class type inspect ddos-class</P><P></P><P>inspect</P><P></P><P>class class-default</P><P></P><P>drop</P><P></P><P>zone security public</P><P></P><P>zone security private</P><P></P><P>zone-pair security public2private source public destination private</P><P></P><P>service-policy type inspect ddos-fw</P><P></P><P></P><P></P><P>int GigabitEthernet0/0/1</P><P></P><P>zone-member security public</P><P></P><P></P><P>int GigabitEthernet0/2/0</P><P></P><P>zone-member security private</P><P></P><P></P><P>Thanks.</P><P></P><P>Jack.</P> Mon, 11 Mar 2019 23:15:21 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-asr1002/m-p/1960689#M434908 jackwikinski 2019-03-11T23:15:21Z https://community.cisco.com/t5/network-security/zone-based-firewall-asr1002/m-p/1960690#M434909 <HTML><HEAD></HEAD><BODY><P> Just curious, should u put the policy-map to the public2self zone-pair to limit DOS attack?</P></BODY></HTML> Mon, 04 Jun 2012 17:17:43 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-asr1002/m-p/1960690#M434909 SIMMN 2012-06-04T17:17:43Z https://community.cisco.com/t5/network-security/zone-based-firewall-asr1002/m-p/1960691#M434910 <HTML><HEAD></HEAD><BODY><P>Shuai Yu: I guess it depends on what you are trying to achive, maybe they have a http-server of something...</P><P></P><P>jackwikiski: Your parameter-maps confuses me because they don't have a name? Or is it because they are global so you don't need a name?</P><P></P><P>Anyway, try this:</P><P></P><P>parameter-map type inspect ANTI-DDOS_PARMAP</P><P>&nbsp; session total 99000</P><P>&nbsp; alert on</P><P>&nbsp; per-box tcp syn-flood limit 2000</P><P>&nbsp; per-box max-incomplete tcp 2000</P><P>&nbsp; per-box max-incomplete udp 500</P><P>&nbsp; per-box max-incomplete icmp 500</P><P></P><P>policy-map type inspect ddos-fw</P><P> class type inspect ddos-class</P><P>&nbsp; inspect ANTI-DDOS_PARMAP</P></BODY></HTML> Mon, 04 Jun 2012 20:17:52 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-asr1002/m-p/1960691#M434910 Henrik Grankvist 2012-06-04T20:17:52Z