Solved: Re: ASA - Resticting the number to-the-box TCP connections

Jay47110 · ‎10-13-2020

Hi,

I've got an ASA 5516-X and I want to restrict the number of TCP connections to-the-box on the outside interface. I have used MPF to configure the connections limits:

access-list limit-conn-outside extended permit ip any host "ASA outside interface IP"

class-map CMAP

match limit-conn-outside

policy-map PMAP

class CMAP

set connection conn-max 600 embryonic-conn-max 900 per-client-max 20 per-client-embryonic-max 30

service policy PMAP interface outside

However, In the "show service-policy interface outside" I am unable to see the current conn stats. Although the ASA currently has several tcp and udp connections to its outside interface's IP address on port 443, the show command does not display the current number of conns at all. Which makes me think that the service policy is not working somehow.

Interface outside:
Service-policy: PMAP
Class-map: CMAP
Set connection policy: conn-max 600 embryonic-conn-max 900 per-client-max 20 per-client-embryonic-max 30
current embryonic conns 0, current conns 0, drop 0

Is there something I am missing from the config?

Mohammed al Baqari · ‎10-13-2020

You are right, this can not be blocked. You need to upgrade to something
like firepower to do this with correlation policies or snort rules.

***** please remember to rate useful posts

View solution in original post

Mohammed al Baqari · ‎10-13-2020

What you configured is for traffic passing through ASA not to ASA. AFAIK,
you can not limit the number of connections to ASA. You can limit traffic
to ASA using access-group with control-plane keyword at the end.

For routers you can do control plane policing which can help but no such
option in ASA.

***** please remember to rate useful posts.

Jay47110 · ‎10-13-2020

Thanks, Mohammed, That's really helpful.

So, apart from a control-plane ACL, there is no way to restrict the number of inbound connections to the ASA? My question was based on trying to protect the ASA from DDOS attacks. i.e. A DDOS attack on the webvpn trying to autheticate using bogus credentials from several botnets. So, the idea was to limit the number of inbound connections to the ASA.

Mohammed al Baqari · ‎10-13-2020

Hi,

Unfortunately ASA doesn't have control plane policing as in IOS to protect
from ddos attacks. With regards to authentication attacks, these are
prevented using account lockout policies.

***** please remember to rate useful posts

Jay47110 · ‎10-13-2020

Thanks again mate.

By account lockout policy do you mean the "aaa local authentication attempts max-fail"? The only issue with this is that it only works with local database and only applied to configured users. Whereas an attacker will be using bogus non-existent user credentials so the ASA cannot really protect against those.

Mohammed al Baqari · ‎10-13-2020

You are right, this can not be blocked. You need to upgrade to something
like firepower to do this with correlation policies or snort rules.

***** please remember to rate useful posts

RANT · ‎06-28-2023

What about the SHUN feature? You should be able to configure this to be able to protect from DDOS attacks. It also has the ability to exempt specific networks (say connections from network monitoring servers) so that they aren't inadvertently blocked. We've recently implemented the feature due to brute force attempts.