topic Correct connection limits on asa 5510 for LAN behind in Network Security

Correct connection limits on asa 5510 for LAN behind

mirage__SK — Mon, 11 Mar 2019 23:25:16 GMT

Dear All!!

Need to configure connection limitis for LAN behind asa.

What quantity I must use :

per client

per client embrionic

totally Per client

per client embrionic

(For which interface)

To providing them internet access (http, https, pop3, pop3s, smtp, smtps), and protect internet channel from overloading?

Re: Correct connection limits on asa 5510 for LAN behind

mirage__SK — Mon, 02 Jul 2012 09:18:19 GMT

I need parameters for following optios:

(now they are unlimited)

Maximum TCP and UDP connection

Maximum embrionic connections

Maximum per client connections

Maximum per client embrionic connectios

Re: Correct connection limits on asa 5510 for LAN behind

Ramraj Sivagnanam Sivajanam — Sat, 28 Jul 2012 19:47:01 GMT

Hi Bro

To meet your requirements, you'll need to configure QOS (TCP-MAPS), coupled with MPF. Here's a sample http://www.networkstraining.com/configuring-connection-limits-on-cisco-asa-firewalls-protect-from-dos/

P/S: If you think this comment is useful, please do rate them nicely 🙂

Re: Correct connection limits on asa 5510 for LAN behind

mirage__SK — Mon, 30 Jul 2012 06:29:16 GMT

Thanks for reply.

I am interesting, which values are optimal for these parameters( which are correct quantities). For example I use the following(see below), are they correct?

threat-detection rate dos-drop rate-interval 600 average-rate 2 burst-rate 2

threat-detection rate dos-drop rate-interval 3600 average-rate 2 burst-rate 2

threat-detection rate bad-packet-drop rate-interval 600 average-rate 2 burst-rate 2

threat-detection rate bad-packet-drop rate-interval 3600 average-rate 2 burst-rate 2

threat-detection rate acl-drop rate-interval 600 average-rate 2 burst-rate 2

threat-detection rate acl-drop rate-interval 3600 average-rate 2 burst-rate 2

threat-detection rate conn-limit-drop rate-interval 600 average-rate 3 burst-rate 3

threat-detection rate conn-limit-drop rate-interval 3600 average-rate 3 burst-rate 3

threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate scanning-threat rate-interval 600 average-rate 3 burst-rate 3

threat-detection rate scanning-threat rate-interval 3600 average-rate 3 burst-rate 3

threat-detection rate syn-attack rate-interval 600 average-rate 2 burst-rate 2

threat-detection rate syn-attack rate-interval 3600 average-rate 2 burst-rate 2

threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate inspect-drop rate-interval 600 average-rate 2 burst-rate 2

threat-detection rate inspect-drop rate-interval 3600 average-rate 2 burst-rate 2

threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000

threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address xx.xx.xx.xx 255.255.255.240

threat-detection scanning-threat shun except ip-address xx.xx.xx.xx 255.255.255.0

threat-detection scanning-threat shun duration 1800

threat-detection statistics

threat-detection statistics host number-of-rate 2

threat-detection statistics tcp-intercept rate-interval 15 burst-rate 30 average-rate 30

threat-detection scanning-threat

threat-detection scanning-threat shun

threat-detection scanning-threat shun duration 1800
threat-detection statistics
threat-detection statistics host number-of-rate 2
threat-detection statistics tcp-intercept rate-interval 15 burst-rate 30 average-rate 30

Re: Correct connection limits on asa 5510 for LAN behind

Ramraj Sivagnanam Sivajanam — Mon, 30 Jul 2012 08:37:31 GMT

Hi Bro

Having threat-detection is great, but you need to know the best values for your environment. Customizing each values is good, if you know what are the good values for your environment but as for me, I opt to remain with the default values. Hence, in most of my deployments here's a sample of what I normally do, and that's it 🙂

FW01# show run threat-detection

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 172.0.0.0 255.0.0.0

threat-detection statistics

Re: Correct connection limits on asa 5510 for LAN behind

mirage__SK — Mon, 30 Jul 2012 08:57:19 GMT

Dear Ramraj,

How can I calculate best values for my environment?

I have used default values, but botnet DDos attack downed my servers, I have received large TCP SYN packets from many hosts, and Appliance does not shun them, so I desided do re-configure my asa 5510 for strict protection and enter these values, which you can see above

Also I create tcp normalization map with following options:

TCP CHECK RETRANSMISSION

CLEAR URGENT FLAG

PAST-WINDOW SEQUENCE DROP

DROP SYN WITH DATA

VERIFY TCP CHECKSUM

SYNACK DATA DROP

INVLAID ACK DROP

I displayed my config, maybe I have mistake somwhere and want to know what more parameters I can configure for TCP and UDP flood proection (if yes, pease, give me a litte example)?

P.S. I do not have any advenced security module on asa, only SEC PLUS licence.

Correct connection limits on asa 5510 for LAN behind

Ramraj Sivagnanam Sivajanam — Mon, 30 Jul 2012 10:21:32 GMT

Hi Bro

Did you follow the URL link i gave you, as shown below

STEP1: Identify the traffic to apply connection limits using a class map

ASA(config)# access list CONNS-ACL extended permit ip any 10.1.1.1 255.255.255.255
ASA(config)# class-map CONNS-MAP
ASA(config-cmap)# match access-list CONNS-ACL

STEP2: Add a policy map to set the actions to take on the class map traffic

ASA(config)# policy-map CONNS-POLICY
ASA(config-pmap)# class CONNS-MAP
! The following sets connection number limits
ASA(config-pmap-c)# set connection {[conn-max n] [embryonic-conn-max n]
[per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}

where the conn-max n argument sets the maximum number of simultaneous TCP and/or UDP connections that are allowed, between 0 and 65535.

The embryonic-conn-max n argument sets the maximum number of simultaneous embryonic connections allowed, between 0 and 65535.

The per-client-embryonic-max n argument sets the maximum number of simultaneous embryonic connections allowed per client, between 0 and 65535.

The per-client-max n argument sets the maximum number of simultaneous connections allowed per client, between 0 and 65535.

! The following sets connection timeouts
ASA(config-pmap-c)# set connection timeout {[embryonic hh:mm:ss] {tcp hh:mm:ss
[reset]] [half-closed hh:mm:ss] [dcd hh:mm:ss [max_retries]]}

STEP3: Apply the Policy on one or more interfaces or Globaly

ASA(config)# service-policy CONNS-POLICY {global | interface interface_name}

Correct connection limits on asa 5510 for LAN behind

mirage__SK — Mon, 30 Jul 2012 12:24:12 GMT

Dear Ramraj,

My question about calculation method of correct values for following parameters:

ASA(config-pmap-c)# set connection {[conn-max n] [embryonic-conn-max n]

[per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}

ASA(config-pmap-c)# set connection {[conn-max n] [embryonic-conn-max n]

[per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}

between 0 and 65535

this is a wery big range...

Can you tell me about recommended values per host for connections and embrionic connections quantities ?

or give me link, how can I calculate them in range between 0 and 65535

Correct connection limits on asa 5510 for LAN behind

Ramraj Sivagnanam Sivajanam — Mon, 30 Jul 2012 18:29:56 GMT

Hi Bro

I don’t think Cisco has a guide on the best values possible with regards to this matter. These values are very subjective from one environment to another.

Cisco’s default values are clearly seen in all Cisco AS FW, a sample as shown below;

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

However, if you want to tune it for a particular source / destination, TCP MAPS is the right way to go. I can’t provide you any more information than I have already provided. This is the best I can do.

For further details, please kindly refer to this Cisco document http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/conns_connlimits.html#wp1080734

Correct connection limits on asa 5510 for LAN behind

mirage__SK — Tue, 31 Jul 2012 09:43:09 GMT

Thanks for provided information!