01-18-2011 03:12 PM - edited 03-11-2019 12:36 PM
Hi,
I'm looking for solid examples of how to implement limiting embryonic connections and/or other possible denial-of-service types of traffic such as half-closed, both through the firewall and to the firewall. I'm also looking for an example of how to use tcp dead connection detection.
We have a client who has had a router brought to its knees by this method and we are going to replace it with an ASA. Given the history, I'd like to not use the defaults and use more aggressive settings. For example, an embryonic connection minimum is 5 seconds and the default is 30 seconds.
Any solid examples will be most appreciated. Thanks.
Solved! Go to Solution.
01-18-2011 06:09 PM
Example to limit connections and set half-closed timeout:
policy-map per-client
class per-client-class
set connection conn-max 80 embryonic-conn-max 10 per-client-max 10 per-client-embryonic-max 2
set connection half-closed 0:5:0 embryonic 0:0:6
!
ASA# sh run class-map per-client-class
!
class-map per-client-class
match access-list per-client
!
ASA# sh run access-l per-client
access-list per-client extended permit ip host 192.168.2.3 any
access-list per-client extended permit ip host 192.168.2.2 any
ASA#sh run service-policy
service-policy per-client int inside
Refer here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045
-KS
02-03-2011 09:18 AM
These are just timeout values for diff. types for connections "through" the firewall.
example:
After the default 1 hour timeout of a tcp connection, the 3 hour xlate timeout will kick in and after the total 4 hours, it will be removed from the table.
You can read more here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870
-KS
01-18-2011 06:09 PM
Example to limit connections and set half-closed timeout:
policy-map per-client
class per-client-class
set connection conn-max 80 embryonic-conn-max 10 per-client-max 10 per-client-embryonic-max 2
set connection half-closed 0:5:0 embryonic 0:0:6
!
ASA# sh run class-map per-client-class
!
class-map per-client-class
match access-list per-client
!
ASA# sh run access-l per-client
access-list per-client extended permit ip host 192.168.2.3 any
access-list per-client extended permit ip host 192.168.2.2 any
ASA#sh run service-policy
service-policy per-client int inside
Refer here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045
-KS
01-18-2011 07:38 PM
very good, thank you!
I also was referred to these links by another party for anyone else interested in this topic
Threat-detection:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html
Configuring Connection Limits and Timeouts:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html
Preventing network attacks.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_protect.html
02-03-2011 07:00 AM
What do these default statements do--protect the firewall or protect connections through the firewall?
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
02-03-2011 09:18 AM
These are just timeout values for diff. types for connections "through" the firewall.
example:
After the default 1 hour timeout of a tcp connection, the 3 hour xlate timeout will kick in and after the total 4 hours, it will be removed from the table.
You can read more here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870
-KS
02-03-2011 09:43 AM
thanks for the explanation and the link.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide