cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1539
Views
1
Helpful
8
Replies

Firepower can limit current session or not

jewfcb001
Level 4
Level 4

Hi All, 

Cisco firepower running asa image can limit current session or not ?

limit by policy/ip/protocol ?

I try to find document but i not found. 

 

Please help me.

8 Replies 8

Yes you can do that. And as always there are multiple options. Start with looking into VPN-Filters as they are likely to fit your needs:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/asdm712/vpn/asdm-712-vpn-config/vpn-asdm-setup.html

@Karsten Iwen  thank you your answer . can you share document to me ? for VPN-Filters you mean can limit session on VPN session ?

There are examples in the config-guide. The VPN-Filter is an ACL that gets attached to a group-policy. Only traffic permitted in the ACL is allowed for the VPN-client.

Here is an example where the sales group is only allowed DNS to .53 and HTTPS to .80:

access-list VPN-FILTER-SALES extended permit udp any host 10.10.10.53 eq domain
access-list VPN-FILTER-SALES extended permit tcp any host 10.10.10.80 eq https
!
group-policy VPN-SALES internal
group-policy VPN-SALES attributes
  vpn-filter value VPN-FILTER-SALES
  

 

I'm still confuse . How this configuration can limit concurrent session by policy/ip/protocol ?

My understand the current session can limit of number of current session. . If my understand not correct . Please let  me know . 

 

Perhaps I did not get what you exactly want. The VPN-filter limits which IP/protocol/ports can be used in that VPN-Session. Can you describe in more detail what you want to achieve?

@Karsten Iwen 

I mean firepower can limit concurrent session or not . Refer from datasheet example. Firepower 4110 can handle Concurrent firewall connections 10million  but If We need to limit concurrent by policy/ip/protocol not ACL configuration . Firepower can do it and if can do 

firepower can alert or send alarm while concurrent session reach limit sessions ?

 

Thank you for help

Ok, now I understand what you want. Yes, this can also be done. But the config is based on the modular policy framework (MPF) and it will be quite some work to implement it for different IPs and/or protocols:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/firewall/asa-914-firewall-config/conns-connlimits.html

For the alarms, you would typically write some log-checking rules on your syslog server.

Thank you for your answer .

I try to understand from your URL . My understand is The limit concurrent session can do under policy map/global policy . and configure with acl together . and set maximum connection following command  set connection conn-max under policy-map but the value can configure 0 and 2000000 , So if Firepower can handle session more than 2milion the value can change more than 2milion or not ? 

 

Please advise me. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: