I've got an ASA 5516-X and I want to restrict the number of TCP connections to-the-box on the outside interface. I have used MPF to configure the connections limits:
access-list limit-conn-outside extended permit ip any host "ASA outside interface IP"
set connection conn-max 600 embryonic-conn-max 900 per-client-max 20 per-client-embryonic-max 30
service policy PMAP interface outside
However, In the "show service-policy interface outside" I am unable to see the current conn stats. Although the ASA currently has several tcp and udp connections to its outside interface's IP address on port 443, the show command does not display the current number of conns at all. Which makes me think that the service policy is not working somehow.
Set connection policy: conn-max 600 embryonic-conn-max 900 per-client-max 20 per-client-embryonic-max 30
current embryonic conns 0, current conns 0, drop 0
Is there something I am missing from the config?
Solved! Go to Solution.
Thanks, Mohammed, That's really helpful.
So, apart from a control-plane ACL, there is no way to restrict the number of inbound connections to the ASA? My question was based on trying to protect the ASA from DDOS attacks. i.e. A DDOS attack on the webvpn trying to autheticate using bogus credentials from several botnets. So, the idea was to limit the number of inbound connections to the ASA.
Thanks again mate.
By account lockout policy do you mean the "aaa local authentication attempts max-fail"? The only issue with this is that it only works with local database and only applied to configured users. Whereas an attacker will be using bogus non-existent user credentials so the ASA cannot really protect against those.