cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7345
Views
0
Helpful
5
Replies
Contributor

embryonic connections

Hi,

I'm looking for solid examples of how to implement limiting embryonic connections and/or other possible denial-of-service types of traffic such as half-closed, both through the firewall and to the firewall. I'm also looking for an example of how to use tcp dead connection detection.

We have a client who has had a router brought to its knees by this method and we are going to replace it with an ASA. Given the history, I'd like to not use the defaults and use more aggressive settings. For example, an embryonic connection minimum is 5 seconds and the default is 30 seconds.

Any solid examples will be most appreciated. Thanks.

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Re: embryonic connections

Example to limit connections and set half-closed timeout:

policy-map per-client
class per-client-class
  set connection conn-max 80 embryonic-conn-max 10 per-client-max 10 per-client-embryonic-max 2

  set connection half-closed 0:5:0 embryonic 0:0:6
!
ASA# sh run class-map per-client-class
!
class-map per-client-class
match access-list per-client
!
ASA# sh run access-l per-client
access-list per-client extended permit ip host 192.168.2.3 any
access-list per-client extended permit ip host 192.168.2.2 any


ASA#sh run service-policy

service-policy per-client int inside

Refer here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045

-KS

View solution in original post

Highlighted
Cisco Employee

Re: embryonic connections

These are just timeout values for diff. types for connections "through" the firewall.

example:

After the default 1 hour timeout of a tcp connection, the 3 hour xlate timeout will kick in and after the total 4 hours, it will be removed from the table.

You can read more here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870

-KS

View solution in original post

5 REPLIES 5
Highlighted
Cisco Employee

Re: embryonic connections

Example to limit connections and set half-closed timeout:

policy-map per-client
class per-client-class
  set connection conn-max 80 embryonic-conn-max 10 per-client-max 10 per-client-embryonic-max 2

  set connection half-closed 0:5:0 embryonic 0:0:6
!
ASA# sh run class-map per-client-class
!
class-map per-client-class
match access-list per-client
!
ASA# sh run access-l per-client
access-list per-client extended permit ip host 192.168.2.3 any
access-list per-client extended permit ip host 192.168.2.2 any


ASA#sh run service-policy

service-policy per-client int inside

Refer here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045

-KS

View solution in original post

Highlighted
Contributor

Re: embryonic connections

very good, thank you!

I also was referred to these links by another party for anyone else interested in this topic

Threat-detection:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html

Configuring Connection Limits and Timeouts:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html

Preventing network attacks.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_protect.html

Highlighted
Contributor

Re: embryonic connections

What do these default statements do--protect the firewall or protect connections through the firewall?

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

Highlighted
Cisco Employee

Re: embryonic connections

These are just timeout values for diff. types for connections "through" the firewall.

example:

After the default 1 hour timeout of a tcp connection, the 3 hour xlate timeout will kick in and after the total 4 hours, it will be removed from the table.

You can read more here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870

-KS

View solution in original post

Highlighted
Contributor

Re: embryonic connections

thanks for the explanation and the link.