cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12732
Views
0
Helpful
5
Replies

embryonic connections

lcaruso
Level 6
Level 6

Hi,

I'm looking for solid examples of how to implement limiting embryonic connections and/or other possible denial-of-service types of traffic such as half-closed, both through the firewall and to the firewall. I'm also looking for an example of how to use tcp dead connection detection.

We have a client who has had a router brought to its knees by this method and we are going to replace it with an ASA. Given the history, I'd like to not use the defaults and use more aggressive settings. For example, an embryonic connection minimum is 5 seconds and the default is 30 seconds.

Any solid examples will be most appreciated. Thanks.

2 Accepted Solutions

Accepted Solutions

Kureli Sankar
Cisco Employee
Cisco Employee

Example to limit connections and set half-closed timeout:

policy-map per-client
class per-client-class
  set connection conn-max 80 embryonic-conn-max 10 per-client-max 10 per-client-embryonic-max 2

  set connection half-closed 0:5:0 embryonic 0:0:6
!
ASA# sh run class-map per-client-class
!
class-map per-client-class
match access-list per-client
!
ASA# sh run access-l per-client
access-list per-client extended permit ip host 192.168.2.3 any
access-list per-client extended permit ip host 192.168.2.2 any


ASA#sh run service-policy

service-policy per-client int inside

Refer here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045

-KS

View solution in original post

These are just timeout values for diff. types for connections "through" the firewall.

example:

After the default 1 hour timeout of a tcp connection, the 3 hour xlate timeout will kick in and after the total 4 hours, it will be removed from the table.

You can read more here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870

-KS

View solution in original post

5 Replies 5

Kureli Sankar
Cisco Employee
Cisco Employee

Example to limit connections and set half-closed timeout:

policy-map per-client
class per-client-class
  set connection conn-max 80 embryonic-conn-max 10 per-client-max 10 per-client-embryonic-max 2

  set connection half-closed 0:5:0 embryonic 0:0:6
!
ASA# sh run class-map per-client-class
!
class-map per-client-class
match access-list per-client
!
ASA# sh run access-l per-client
access-list per-client extended permit ip host 192.168.2.3 any
access-list per-client extended permit ip host 192.168.2.2 any


ASA#sh run service-policy

service-policy per-client int inside

Refer here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045

-KS

very good, thank you!

I also was referred to these links by another party for anyone else interested in this topic

Threat-detection:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html

Configuring Connection Limits and Timeouts:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html

Preventing network attacks.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_protect.html

What do these default statements do--protect the firewall or protect connections through the firewall?

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

These are just timeout values for diff. types for connections "through" the firewall.

example:

After the default 1 hour timeout of a tcp connection, the 3 hour xlate timeout will kick in and after the total 4 hours, it will be removed from the table.

You can read more here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870

-KS

thanks for the explanation and the link.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: