cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1728
Views
15
Helpful
5
Replies
Jay47110
Beginner

ASA - Resticting the number to-the-box TCP connections

Hi,

 

I've got an ASA 5516-X and I want to restrict the number of TCP connections to-the-box on the outside interface. I have used MPF to configure the connections limits:

access-list limit-conn-outside extended permit ip any host "ASA outside interface IP"

 

class-map CMAP

match limit-conn-outside

 

policy-map PMAP

class CMAP

set connection conn-max 600 embryonic-conn-max 900 per-client-max 20 per-client-embryonic-max 30 

 

service policy PMAP interface outside

 

However, In the "show service-policy interface outside" I am unable to see the current conn stats. Although the ASA currently has several tcp and udp connections to its outside interface's IP address on port 443, the show command does not display the current number of conns at all. Which makes me think that the service policy is not working somehow.

Interface outside:
Service-policy: PMAP
Class-map: CMAP
Set connection policy: conn-max 600 embryonic-conn-max 900 per-client-max 20 per-client-embryonic-max 30
current embryonic conns 0, current conns 0, drop 0

 

Is there something I am missing from the config?

1 ACCEPTED SOLUTION

Accepted Solutions

You are right, this can not be blocked. You need to upgrade to something
like firepower to do this with correlation policies or snort rules.

***** please remember to rate useful posts

View solution in original post

5 REPLIES 5
Mohammed al Baqari
VIP Advisor

What you configured is for traffic passing through ASA not to ASA. AFAIK,
you can not limit the number of connections to ASA. You can limit traffic
to ASA using access-group with control-plane keyword at the end.

For routers you can do control plane policing which can help but no such
option in ASA.

***** please remember to rate useful posts.

Thanks, Mohammed, That's really helpful.

So, apart from a control-plane ACL, there is no way to restrict the number of inbound connections to the ASA? My question was based on trying to protect the ASA from DDOS attacks. i.e. A DDOS attack on the webvpn trying to autheticate using bogus credentials from several botnets. So, the idea was to limit the number of inbound connections to the ASA.

Hi,

Unfortunately ASA doesn't have control plane policing as in IOS to protect
from ddos attacks. With regards to authentication attacks, these are
prevented using account lockout policies.

***** please remember to rate useful posts

Thanks again mate.

By account lockout policy do you mean the "aaa local authentication attempts max-fail"? The only issue with this is that it only works with local database and only applied to configured users. Whereas an attacker will be using bogus non-existent user credentials so the ASA cannot really protect against those.

You are right, this can not be blocked. You need to upgrade to something
like firepower to do this with correlation policies or snort rules.

***** please remember to rate useful posts

View solution in original post

Content for Community-Ad