https://community.cisco.com/t5/network-security/asa-pix-dos-mitigation/m-p/1127085#M892465 <HTML><HEAD></HEAD><BODY><P>You current connection count is only 1 so you will not see any drops.</P></BODY></HTML> Thu, 11 Dec 2008 18:06:28 GMT vvarakan 2008-12-11T18:06:28Z https://community.cisco.com/t5/network-security/asa-pix-dos-mitigation/m-p/1127084#M892464 <P>Hi All,</P><P></P><P>I have the following scenario;</P><P></P><P>Hacker or virus ---&gt; ASA/PIX MPF ---&gt; Router or Device endpoint</P><P></P><P>I use syslog traffic in this example but I have done it with ICMP, telnet etc .... The idea is to drop the traffic based upon the class-map.</P><P></P><P>class-map hack</P><P>match port udp eq 514</P><P></P><P>policy-map inside</P><P>class hack</P><P>set connection conn-max 1</P><P>police input 8000 conform-action drop exceed drop</P><P></P><P>service-policy inside interface inside</P><P></P><P>I'm getting matches against the service-policy but the traffic doesn't drop ...</P><P></P><P>Interface inside:</P><P> Service-policy: inside</P><P> Class-map: syslog</P><P> Set connection policy: conn-max 1 </P><P> current conns 1, drop 0</P><P> Input police Interface inside:</P><P> cir 8000 bps, bc 1500 bytes</P><P> conformed 3 packets, 375 bytes; actions: drop</P><P> exceeded 0 packets, 0 bytes; actions: drop</P><P> conformed 80 bps, exceed 0 bps</P> Mon, 11 Mar 2019 14:24:28 GMT https://community.cisco.com/t5/network-security/asa-pix-dos-mitigation/m-p/1127084#M892464 jon.humphries 2019-03-11T14:24:28Z https://community.cisco.com/t5/network-security/asa-pix-dos-mitigation/m-p/1127085#M892465 <HTML><HEAD></HEAD><BODY><P>You current connection count is only 1 so you will not see any drops.</P></BODY></HTML> Thu, 11 Dec 2008 18:06:28 GMT https://community.cisco.com/t5/network-security/asa-pix-dos-mitigation/m-p/1127085#M892465 vvarakan 2008-12-11T18:06:28Z https://community.cisco.com/t5/network-security/asa-pix-dos-mitigation/m-p/1127086#M892466 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It looks like my issue, was that the CIR police mechanisim is there for rate limiting as opposed to dropping the connection.</P><P></P><P>I misunderstood the functionality of this feature.</P><P></P><P>Many thanks for your input.</P><P></P><P>Jon Humphries</P></BODY></HTML> Sun, 14 Dec 2008 16:11:43 GMT https://community.cisco.com/t5/network-security/asa-pix-dos-mitigation/m-p/1127086#M892466 jon.humphries 2008-12-14T16:11:43Z