cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1020
Views
0
Helpful
5
Replies

ASA Blocking

bilal-javed1
Level 1
Level 1

Hi,

I have installed ASA 5510 to limit sessions of Users to 170. But as soon as i put it infront of network before router, Internet goes down and i cannot browse or something.

The network is simple, Cisco three layer model with users on Wired LAN/Wireless LAN using WLC. Approx 2500-3000 users.

Can you please guide me what i am doing wrong in Config or how to start troubleshooting?

Running Config is pasted below.

Thanks in Advance.

Regards,

Bilal

GV-ASA5510-INSIDE# show run

: Saved

:

ASA Version 9.1(1)

!

firewall transparent

hostname GV-ASA5510-INSIDE

names

dns-guard

!

interface Ethernet0/0

duplex full

nameif outside

bridge-group 1

security-level 100

!

interface Ethernet0/1

duplex full

nameif inside

bridge-group 1

security-level 100

!

interface Ethernet0/2

shutdown    

no nameif

no security-level

!

interface Ethernet0/3

shutdown

no nameif

no security-level

!

interface Management0/0

management-only

shutdown

no nameif

no security-level

ip address 192.168.1.2 255.255.255.0

!

interface BVI1

ip address 172.16.1.4 255.255.255.0

!

!

time-range 02/11/2011+7

absolute end 22:22 09 November 2011

!

time-range 03-11-11

absolute end 17:00 09 November 2011

periodic daily 0:00 to 23:59

!

time-range 09-11-11

absolute end 16:33 16 November 2011

!

time-range 13/11/2011+7

!

time-range 19/11/2011+7

absolute end 20:49 26 November 2011

!

time-range 3.161

absolute end 16:35 10 February 2011

!

ftp mode passive

clock timezone AFT 4 30

dns server-group DefaultDNS

domain-name GreenVillage

same-security-traffic permit inter-interface

object network 10.100.5.52

host 10.100.5.52

object network 203.88.70.113

host 203.88.70.113

object network 203.88.70.117

host 203.88.70.113

object network Blackberry_Steven

host 10.100.2.245

description BB

object network 172.16.10.155

host 172.16.10.155

description Blocked user on 09/11/2011

object network 172.16.30.141

host 172.16.30.104

object network 172.16.20.247

host 172.16.20.247

object network 172.16.40.125

host 172.16.40.125

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list 100 extended permit ip any any log

access-list HighBandUsers extended deny ip any host 66.77.197.61

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

access-list LAN_subnets extended permit ip 10.0.0.0 255.0.0.0 any inactive

access-list LAN_subnets extended permit ip 172.16.0.0 255.255.0.0 any inactive

access-list LAN_subnets extended permit ip 192.168.0.0 255.255.0.0 any inactive

access-list LAN_subnets extended permit ip any 10.0.0.0 255.0.0.0 inactive

access-list LAN_subnets extended permit ip any 172.16.0.0 255.255.0.0 inactive

access-list LAN_subnets extended permit ip any 192.168.0.0 255.255.0.0 inactive

access-list All_Incoming extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route inside 0.0.0.0 0.0.0.0 172.16.1.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

aaa authorization command LOCAL

aaa authorization exec LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 20 burst-rate 5300 average-rate 2900

dynamic-filter use-database

dynamic-filter enable

dynamic-filter enable interface outside

dynamic-filter enable interface inside

dynamic-filter drop blacklist interface inside action-classify-list LAN_subnets

dynamic-filter ambiguous-is-black

username gvadmin password xTTON9V41CE0Cr6l encrypted privilege 15

username admin password 5CzeSC0cUSYc3HMs encrypted privilege 15

!

class-map CONNS_LIMIT

match access-list LAN_subnets

class-map CONNS_Limit

class-map CONNS

class-map inspection_default

match default-inspection-traffic

class-map Limit_Incoming_Class

match access-list All_Incoming

!

!

policy-map type inspect dns preset_dns_map

parameters  

  message-length maximum client auto

  message-length maximum 512

policy-map CONN_Limit

description //User Connection Limit\\

class CONNS_LIMIT

  set connection per-client-max 175 per-client-embryonic-max 100 random-sequence-number disable

policy-map TRAFFIC_LIMITING

class Limit_Incoming_Class

policy-map PM-POLICE-WEB

class CONNS_Limit

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

service-policy CONN_Limit interface inside

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:f74fa843bfc7bb2f94e5d6ef889d21a4

: end

5 Replies 5

lcambron
Level 3
Level 3

Hello,

The security level on the outside interface is 100 and should be 0.

Also, I dont see nat configured but maybe it is not needed.

Regards,

Felipe.

Jermy Franklin
Level 1
Level 1

Hi,

Normally, interfaces on the same security level cannot communicate. So please change your outside leg security level to 0 and try to access internet or you can below feature of ASA with same security level.

same-security-traffic:

To permit communication between interfaces with equal security levels, or to allow traffic to enter and exit the same interface, use the same-security-traffic command in global configuration mode. To disable the same-security traffic, use the no form of this command.

Syntax:

same-security-traffic permit {inter-interface | intra-interface}

no same-security-traffic permit {inter-interface | intra-interface}

Note:

This command is disabled by default.

show running-config same-security-traffic - Displays the same-security-traffic configuration.

Regards,

Jermy Franklin A

bilal-javed1
Level 1
Level 1

Hi,

Thanks for guidance. Now its working good.

One more question, i have limited all users to max 170 sessions/client plus 100 embroynic connections. And its dropping sessions above that. How can i find that which sessions are dropped for any particular user or as whole?

Also Peer-to-Peer(torrents) are consuming lot of sessions. As soon as any user open P2P, his http and other tcp connections dropped. how to check that dropped connections?

And how to block these torrent ports?

Please guide.

Regards,

Bilal

Hi,

Is there any way we can put cap on per user anywhere in router, firwall or WLC?

Becuase from shared pipe, when one user sucks the bandwidth others have to say suffer.

Please guide where should i limit that per user.

Thanks

Bilal

Hi,

I would suggest creating a new discussion for every new issue.

Also make sure to mark the initial issue as answered so others can learn from this.

Regards,

Felipe.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: