topic MPF configuration.. in Network Security https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033078#M915057 <P>Hi,</P><P></P><P> In MPF how many service-policy I can configure per interface.Please find theconfiguration in my ASA..</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>class-map imblock</P><P> match any</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P> message-length maximum 512</P><P>policy-map type inspect im impolicy</P><P> parameters</P><P> match protocol msn-im yahoo-im</P><P> drop-connection</P><P>policy-map IM_BLOCK</P><P> class imblock</P><P> inspect im impolicy</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns preset_dns_map</P><P> inspect ftp</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect skinny</P><P> inspect sunrpc</P><P> inspect xdmcp</P><P> inspect sip</P><P> inspect netbios</P><P> inspect tftp</P><P> inspect http</P><P>!</P><P>service-policy global_policy global</P><P>service-policy IM_BLOCK interface outside</P><P></P><P>I want to add one more modular policy to prevent TCP SYN attack.Please find the configuration..</P><P></P><P>#class-map tcp_syn</P><P> #match port tcp eq 80</P><P> #exit</P><P>#policy-map tcpmap</P><P> #class tcp_syn</P><P> #set connection conn-max 100</P><P> #set connection embryonic-conn-max 200</P><P> #set connection per-client-embryonic-max 10</P><P> #set connection per-client-max 5</P><P> #set connection timeout embryonic 0:0:45</P><P> #set connection timeout half-closed 0:25:0</P><P> #set connection timeout tcp 2:0:0</P><P> #exit</P><P>#service-policy tcpmap global</P><P>** Shall I add the above configuration in my ASA?How many service policy I can assign in global interface.</P><P></P><P></P> Mon, 11 Mar 2019 13:27:16 GMT somnath21 2019-03-11T13:27:16Z MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033078#M915057 <P>Hi,</P><P></P><P> In MPF how many service-policy I can configure per interface.Please find theconfiguration in my ASA..</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>class-map imblock</P><P> match any</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P> message-length maximum 512</P><P>policy-map type inspect im impolicy</P><P> parameters</P><P> match protocol msn-im yahoo-im</P><P> drop-connection</P><P>policy-map IM_BLOCK</P><P> class imblock</P><P> inspect im impolicy</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns preset_dns_map</P><P> inspect ftp</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect skinny</P><P> inspect sunrpc</P><P> inspect xdmcp</P><P> inspect sip</P><P> inspect netbios</P><P> inspect tftp</P><P> inspect http</P><P>!</P><P>service-policy global_policy global</P><P>service-policy IM_BLOCK interface outside</P><P></P><P>I want to add one more modular policy to prevent TCP SYN attack.Please find the configuration..</P><P></P><P>#class-map tcp_syn</P><P> #match port tcp eq 80</P><P> #exit</P><P>#policy-map tcpmap</P><P> #class tcp_syn</P><P> #set connection conn-max 100</P><P> #set connection embryonic-conn-max 200</P><P> #set connection per-client-embryonic-max 10</P><P> #set connection per-client-max 5</P><P> #set connection timeout embryonic 0:0:45</P><P> #set connection timeout half-closed 0:25:0</P><P> #set connection timeout tcp 2:0:0</P><P> #exit</P><P>#service-policy tcpmap global</P><P>** Shall I add the above configuration in my ASA?How many service policy I can assign in global interface.</P><P></P><P></P> Mon, 11 Mar 2019 13:27:16 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033078#M915057 somnath21 2019-03-11T13:27:16Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033079#M915062 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>You can apply only one Global policy, which will do inspection on all interfaces.</P><P>You can either modify the global policy or create your own policy and apply globally or to one or more interfaces.</P></BODY></HTML> Thu, 07 Aug 2008 04:23:22 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033079#M915062 dhananjoy chowdhury 2008-08-07T04:23:22Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033080#M915064 <HTML><HEAD></HEAD><BODY><P>Thanks!!</P><P></P><P>Can I do like this..</P><P></P><P>Configure a separate class-map (tcp_syn) and add it under the policy-map global_policy (default).</P><P></P><P>class-map tcp_syn </P><P>match port tcp eq 80 </P><P></P><P>policy-map global_policy</P><P>class tcp_syn </P><P>set connection conn-max 100 </P><P>set connection embryonic-conn-max 200 </P><P>set connection per-client-max 5 </P><P>set connection timeout embryonic 0:0:45 </P><P>set connection timeout tcp 2:0:0 </P><P></P><P>service-policy tcpmap global </P><P></P><P>Please assist..</P></BODY></HTML> Thu, 07 Aug 2008 04:35:48 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033080#M915064 somnath21 2008-08-07T04:35:48Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033081#M915066 <HTML><HEAD></HEAD><BODY><P>u cam have one global policy</P><P>and on policy per interface</P><P>the interface policy override the glbal one if overlaped</P><P>in ur question the conifg ok</P><P>but i see u put ur config under the default global policy</P><P>why u applying another on??</P><P>once u put the config under the global_policy which is the defaul one it will be automaticly applied globaly</P><P></P><P>good luck </P><P></P><P>please if helpful rate</P></BODY></HTML> Thu, 07 Aug 2008 04:41:35 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033081#M915066 Marwan ALshawi 2008-08-07T04:41:35Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033082#M915070 <HTML><HEAD></HEAD><BODY><P>Yes you can add new class-map.</P><P></P><P>But don't add this "service-policy tcpmap global"</P><P></P><P>You can have only one policy in the global.</P><P></P><P>service-policy global_policy global</P><P></P></BODY></HTML> Thu, 07 Aug 2008 04:52:09 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033082#M915070 dhananjoy chowdhury 2008-08-07T04:52:09Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033083#M915073 <HTML><HEAD></HEAD><BODY><P>Please find my configuration...</P><P>Lines started with * are newly added.</P><P></P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>class-map imblock</P><P> match any</P><P>*class-map tcp_syn</P><P> *match port tcp eq 80</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P> message-length maximum 512</P><P>policy-map type inspect im impolicy</P><P> parameters</P><P> match protocol msn-im yahoo-im</P><P> drop-connection</P><P>policy-map IM_BLOCK</P><P> class imblock</P><P> inspect im impolicy</P><P>policy-map global_policy</P><P> class inspection_default</P><P> *class-map tcp_syn</P><P> *set connection conn-max 100</P><P> *set connection embryonic-conn-max 200</P><P> *set connection per-client-embryonic-max 10</P><P> *set connection per-client-max 5</P><P> *set connection random-sequence-number enable</P><P> *set connection timeout embryonic 0:0:45</P><P> *set connection timeout half-closed 0:25:0</P><P> *set connection timeout tcp 2:0:0</P><P> inspect dns preset_dns_map</P><P> inspect ftp</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect skinny</P><P> inspect sunrpc</P><P> inspect xdmcp</P><P> inspect sip</P><P> inspect netbios</P><P> inspect tftp</P><P> inspect http</P><P>!</P><P>service-policy global_policy global</P><P>service-policy IM_BLOCK interface outside</P><P></P><P>It's ok na??</P></BODY></HTML> Thu, 07 Aug 2008 05:07:54 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033083#M915073 somnath21 2008-08-07T05:07:54Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033084#M915075 <HTML><HEAD></HEAD><BODY><P>sounds good</P><P>i mean the polices application</P><P>good luck</P></BODY></HTML> Thu, 07 Aug 2008 05:35:24 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033084#M915075 Marwan ALshawi 2008-08-07T05:35:24Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033085#M915076 <HTML><HEAD></HEAD><BODY><P>this seems ok.</P><P></P><P>Just for confirmation can you post the last part of the running-config</P><P>- starting from " policy-map global_policy"</P><P> till the statement "service-policy IM_BLOCK interface outside "</P></BODY></HTML> Thu, 07 Aug 2008 05:36:10 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033085#M915076 dhananjoy chowdhury 2008-08-07T05:36:10Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033086#M915079 <HTML><HEAD></HEAD><BODY><P>My current MPF configuration..</P><P></P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>class-map imblock</P><P> match any</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P> message-length maximum 512</P><P>policy-map type inspect im impolicy</P><P> parameters</P><P> match protocol msn-im yahoo-im</P><P> drop-connection</P><P>policy-map IM_BLOCK</P><P> class imblock</P><P> inspect im impolicy</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns preset_dns_map</P><P> inspect ftp</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect skinny</P><P> inspect sunrpc</P><P> inspect xdmcp</P><P> inspect sip</P><P> inspect netbios</P><P> inspect tftp</P><P> inspect http</P><P>!</P><P>service-policy global_policy global</P><P>service-policy IM_BLOCK interface outside</P><P></P><P>I want to add (*) these lines..</P><P></P><P>*class-map tcp_syn</P><P> *match port tcp eq 80</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P> *class-map tcp_syn</P><P> *set connection conn-max 300</P><P> *set connection embryonic-conn-max 400</P><P> *set connection per-client-embryonic-max 10</P><P> *set connection per-client-max 15</P><P> *set connection random-sequence-number enable</P><P> *set connection timeout embryonic 0:0:45</P><P> *set connection timeout half-closed 0:25:0</P><P> *set connection timeout tcp 2:0:0</P><P></P><P></P></BODY></HTML> Thu, 07 Aug 2008 05:47:29 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033086#M915079 somnath21 2008-08-07T05:47:29Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033087#M915081 <HTML><HEAD></HEAD><BODY><P>Hi Somnath,</P><P>Do it like this..</P><P></P><P>myPIX(config)# class-map tcp_syn</P><P>myPIX(config-cmap)# match port tcp eq 80</P><P>myPIX(config-cmap)# exit</P><P></P><P>myPIX(config)# policy-map global_policy</P><P>pixfirewall(config-pmap)# class tcp_syn</P><P>pixfirewall(config-pmap-c)# set connection conn-max 100</P><P>..... and so on....</P><P></P></BODY></HTML> Thu, 07 Aug 2008 06:05:46 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033087#M915081 dhananjoy chowdhury 2008-08-07T06:05:46Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033088#M915083 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>One more help,If I configure like the above one it will be applicable for only port 80.</P><P>I want to connection limit for all traffic. </P><P>The below configuration is ok or not?</P><P></P><P>myPIX(config)# class-map tcp_syn </P><P>myPIX(config-cmap)# match any </P><P>myPIX(config-cmap)# exit </P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P> *class-map tcp_syn</P><P> *set connection conn-max 700</P><P> *set connection embryonic-conn-max 1200</P><P> *set connection per-client-embryonic-max 20</P><P> *set connection per-client-max 10</P><P> *set connection random-sequence-number enable</P><P> *set connection timeout embryonic 0:0:45</P><P> *set connection timeout half-closed 0:25:0</P><P> *set connection timeout tcp 2:0:0</P><P></P><P>The parameter mentioned above like</P><P>conn-max 700,</P><P>embryonic-conn-max 1200,</P><P>per-client-embryonic-max 20,</P><P>per-client-max 10</P><P></P><P>are ok or not?</P><P></P><P></P><P></P></BODY></HTML> Thu, 07 Aug 2008 06:17:54 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033088#M915083 somnath21 2008-08-07T06:17:54Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033089#M915085 <HTML><HEAD></HEAD><BODY><P>Only a small change....</P><P></P><P>policy-map global_policy</P><P> class tcp_syn</P><P> set connection conn-max 700 </P><P>..... and so on.</P><P></P><P>If you do as per below your purpose is not solved.</P><P></P><P>policy-map global_policy</P><P>class inspection_default</P><P>class-map tcp_syn </P><P>set connection conn-max 700</P><P>.......</P><P></P><P></P><P></P></BODY></HTML> Thu, 07 Aug 2008 06:35:13 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033089#M915085 dhananjoy chowdhury 2008-08-07T06:35:13Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033090#M915088 <HTML><HEAD></HEAD><BODY><P>I want to configure that one to prevent Dos attack (TCP SYN).</P><P>Is it possible by limiting port 80 traffic or I have to go for any.</P></BODY></HTML> Thu, 07 Aug 2008 06:58:57 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033090#M915088 somnath21 2008-08-07T06:58:57Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033091#M915090 <HTML><HEAD></HEAD><BODY><P>yes, do match any</P></BODY></HTML> Thu, 07 Aug 2008 07:21:41 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033091#M915090 dhananjoy chowdhury 2008-08-07T07:21:41Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033092#M915093 <HTML><HEAD></HEAD><BODY><P>Thanks! I got it.</P></BODY></HTML> Thu, 07 Aug 2008 07:25:49 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033092#M915093 somnath21 2008-08-07T07:25:49Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033093#M915094 <HTML><HEAD></HEAD><BODY><P>sorry one more confusion..</P><P>if I configure like that then it will be applicable for all traffic or individual.</P><P>I want to meant it will limit total connection to 900 or each connection (FTP-900,HTTP-900 like that</P><P>) to 900.</P><P>class-map tcp_syn</P><P> match any</P><P>policy-map global_policy</P><P> class inspection_default</P><P> class tcp_syn</P><P> set connection conn-max 900</P><P> set connection embryonic-conn-max 300</P><P> set connection per-client-embryonic-max 10</P><P></P><P></P><P></P></BODY></HTML> Thu, 07 Aug 2008 10:11:09 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033093#M915094 somnath21 2008-08-07T10:11:09Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033094#M915096 <HTML><HEAD></HEAD><BODY><P>because in ur class-map </P><P>u have match any</P><P>then this will consider the total amount of connections as 900</P><P></P><P>if u want to restrect only one typ lets say http</P><P></P><P>do :</P><P></P><P>access-list 100 permit tcp [source IPs] [netmask] [any or destination IP with mask] eq 80</P><P></P><P>access-list 100 permit tcp [source IPs] [netmask] [any or destination IP with mask] eq 443</P><P></P><P>then</P><P>make new class</P><P>class-map http-map</P><P>match access-group 100</P><P></P><P>then </P><P>apply it the same way u have don above</P><P></P></BODY></HTML> Thu, 07 Aug 2008 10:21:53 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033094#M915096 Marwan ALshawi 2008-08-07T10:21:53Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033095#M915097 <HTML><HEAD></HEAD><BODY><P>thanks</P></BODY></HTML> Thu, 07 Aug 2008 10:26:34 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033095#M915097 somnath21 2008-08-07T10:26:34Z Re: MPF configuration.. https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033096#M915098 <HTML><HEAD></HEAD><BODY><P>thanks!</P></BODY></HTML> Thu, 07 Aug 2008 10:27:56 GMT https://community.cisco.com/t5/network-security/mpf-configuration/m-p/1033096#M915098 somnath21 2008-08-07T10:27:56Z