10-13-2020 12:47 AM
Hi,
I've got an ASA 5516-X and I want to restrict the number of TCP connections to-the-box on the outside interface. I have used MPF to configure the connections limits:
access-list limit-conn-outside extended permit ip any host "ASA outside interface IP"
class-map CMAP
match limit-conn-outside
policy-map PMAP
class CMAP
set connection conn-max 600 embryonic-conn-max 900 per-client-max 20 per-client-embryonic-max 30
service policy PMAP interface outside
However, In the "show service-policy interface outside" I am unable to see the current conn stats. Although the ASA currently has several tcp and udp connections to its outside interface's IP address on port 443, the show command does not display the current number of conns at all. Which makes me think that the service policy is not working somehow.
Interface outside:
Service-policy: PMAP
Class-map: CMAP
Set connection policy: conn-max 600 embryonic-conn-max 900 per-client-max 20 per-client-embryonic-max 30
current embryonic conns 0, current conns 0, drop 0
Is there something I am missing from the config?
Solved! Go to Solution.
10-13-2020 09:10 AM
10-13-2020 05:24 AM
10-13-2020 06:13 AM
Thanks, Mohammed, That's really helpful.
So, apart from a control-plane ACL, there is no way to restrict the number of inbound connections to the ASA? My question was based on trying to protect the ASA from DDOS attacks. i.e. A DDOS attack on the webvpn trying to autheticate using bogus credentials from several botnets. So, the idea was to limit the number of inbound connections to the ASA.
10-13-2020 07:23 AM
10-13-2020 07:34 AM
Thanks again mate.
By account lockout policy do you mean the "aaa local authentication attempts max-fail"? The only issue with this is that it only works with local database and only applied to configured users. Whereas an attacker will be using bogus non-existent user credentials so the ASA cannot really protect against those.
10-13-2020 09:10 AM
06-28-2023 03:04 PM
What about the SHUN feature? You should be able to configure this to be able to protect from DDOS attacks. It also has the ability to exempt specific networks (say connections from network monitoring servers) so that they aren't inadvertently blocked. We've recently implemented the feature due to brute force attempts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide