I'm trying to determine whether Cisco has any equivalent (in any platform) to some of the existing firewall rules within our iptables infrastructure. Specifically these ones:
-A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j LOGDROP
-A FORWARD -p tcp -m state --state NEW -m tcp --dport 3389 -j ACCEPT
What this does, is allow port forwards on port 3389/rdp. However, if a single IP opens too many connections within a timeframe, it starts dropping new ones.
This is a critical requirements for certain security scenarios, such as preventing RDP brute forcing. A similar principle can be applied to 22/ssh.
I've had a look around, rate limiting searches generally land me on QoS based discussions. I've seen people ask similar questions and get referred to CBAC. Whilst I can see similarly worded functions there such as limiting "half open" connections, I don't see anything there that limits the actual number of connection attempts you can make.
Both IOS and ASA firewall have embryonic and per-client max statments.
I would not call this feature rate limiting exactly though :-)
Now since both of those features are stateful they will rely on amount of (half?) open connections in their connection table rather than (if I remember my iptables) allowing up to 4 hits on this service withing 180 seconds with SYN flag set.
So no direct mapping but it gives you the added benefit of not allowing more than one connection from a given host, for example.
Bonjour,Je cherche à acceder l'interface de management de l'ASA, depuis l'Anyconnect.Malegré que j'ai ajouté les ACLs necessaires, mais l'acces management ASA en SSH depuis le vpn nomade ne passse.Je me demande si on peut manager l'ASA en ssh ou autres pr...
I am involved in rolling out about 40 wifi networks using cisco 3602/2802 aps and cisco 5508 ISE. Our network offers a 2 step authentication with user and machine certificates as well as users needing to be in correct AD groups. The problem we have i...
ASA Site-to-Site VPN using IKEV1 Configuration Example
Configure a Site-to-Site IPSec IKEv1 Tunnel Between an ASA and a Cisco IOS Router
Site-to-Site IKEv2 Tunnel between ASA and Router Configuration Examples
Site-to-Site VPN Tunnel wit...
Dear Community, So, according to the Cisco ISE Release 2.7 Administrator Guide, it should be possible to use a remote lock/wipe on MDM-devices that connect through ISE on the network( see the screenshot in the attachment).The problem is that th...
Hi, We currently have 2 Cisco 5525X ASA's in active/standby state. We have 750 concurrent Anyconnect licenses with the below licenses:AC-PLSM-5YR-500-S & AC-PLSM-5YR-250-S. (These are expiring soon) I have asked to get these renewed by our l...