Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1029
Views
0
Helpful
1
Replies

How to reset/restrict external IP connections to internal network?

seihoo.wong
Level 1
Level 1

‎09-19-2012 09:45 AM - edited ‎03-11-2019 04:56 PM

Hi All,

I need some advise/suggestion here as we ran into some hardtime when the application unable to respond to ALL the external IP request.

Connection table (sh conn)

TCP outside 100.100.100.100:47898 servers 192.168.168.1:443, idle 0:01:33, bytes 0, flags UFRB

TCP outside 100.100.100.100:47892 servers 192.168.168.1:443, idle 0:01:33, bytes 0, flags UFRB

TCP outside 100.100.100.100:47889 servers 192.168.168.1:443, idle 0:01:33, bytes 0, flags UFRB

TCP outside 100.100.100.100:47888 servers 192.168.168.1:443, idle 0:01:33, bytes 0, flags UFRB

TCP outside 100.100.100.100:47885 servers 192.168.168.1:443, idle 0:01:33, bytes 0, flags UFRB

TCP outside 100.100.100.100:47878 servers 192.168.168.1:443, idle 0:01:33, bytes 0, flags UFRB

TCP outside 100.100.100.100:47874 servers 192.168.168.1:443, idle 0:01:33, bytes 0, flags UFRB

TCP outside 100.100.100.100:47870 servers 192.168.168.1:443, idle 0:01:33, bytes 0, flags UFRB

TCP outside 100.100.100.100:47853 servers 192.168.168.1:443, idle 0:01:34, bytes 0, flags UFRB

TCP outside 100.100.100.100:47847 servers 192.168.168.1:443, idle 0:01:34, bytes 0, flags UFRB

Scenario:

(192.168.168.1 is our application server and it's static natted to a public IP)

External IP customer will be initiating tcp connection FROM 100.100.100.100 to our server 192.168.168.1:443, but the problem start when the application CANNOT cope the numbers of request from the source IP 100.100.100.100 but it the application start slowing down (just like DDOS), but 100.100.100.100 DO NOT KNOW 192.168.168.1 ran into problem and the connection KEEP ON coming in..... and the server which hosted the application is UP and responding to the tcp handshake initiated by 100.100.100.100 (I think this is the problem as we cannot use "

per-client-embryonic-max" since this is NOT emcrynic connection behaviour.

but we NEED to stop and flush these connection (all these connection carrying zero bytes data fur UFRB status). so, any one can sheed me some light?

I'm running 5550 with 8.0 code

Labels:
0 Helpful
1 Reply 1

Luis Silva Benavides
Cisco Employee
Cisco Employee

‎09-27-2012 07:50 AM

Hi,

If your question is how can I limmit the ammount of sessions that can be esblished through the ASA to an internal server?

We have 2 options:

1. With static NAT:

static (inside,outside) 192.168.10.1 192.168.10.1 tcp

2. MPF

set connection per-client-max 

or

set connection  conn-max  

You can also combine both per-client-max and conn-max.

I hope this helps

Luis

Luis Silva
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card