05-21-2012 05:16 AM - edited 03-11-2019 04:09 PM
Hi, I would like to avoid big downloads so I want to set a maximum download file size. How can I set the limit MB allowed per connection in the ASA?
Thanks
Solved! Go to Solution.
05-22-2012 09:46 AM
Hello,
Yes, you will be able to do that using the Modular Policy Framework (MPF)
access-list test permit tcp host x.x.x.x host y.y.y.y eq 80
class-map test
match access-list test
policy-map global_policy
class test
set connection timeout x.x.
Regards,
Julio
05-21-2012 10:06 AM
Hello Jmprats,
Being honest to you I know we can configure timeouts for particular connections or the maximun amount of connections per host.
We can also configure the maximum bandwitht that a particular traffic pattern can have but I am almost sure there is no option to limit a connection based on the download size of a connection ( ASA speaking)
Regards,
Julio
05-22-2012 03:18 AM
So, I suppose I will have to work with connections timeouts. Can I set different timeouts for differents source ip address?
05-22-2012 09:46 AM
Hello,
Yes, you will be able to do that using the Modular Policy Framework (MPF)
access-list test permit tcp host x.x.x.x host y.y.y.y eq 80
class-map test
match access-list test
policy-map global_policy
class test
set connection timeout x.x.
Regards,
Julio
03-06-2013 09:54 AM
Is it possible to set connection tieout in the newer versions (ie 8.4, 9.1)? Not idle or tcp-embriotic or smth, but timeout for regular legitimate connections. Just as on example in previos post. In newer version i don't see such option. Any clue?
03-06-2013 10:02 AM
Are we talking about a "timeout" for normal and working connections?
The function of the current timeouts is to free resources on the unit and provide protection.
03-06-2013 10:16 AM
I'm not sure u answered my question. Look at previos post by jcarvaja. See the commands? (particulary
set connection timeout x.x.). Is there a way to achieve this in newer versions. I.e. not set conection timeout idle/half-open/embriotic, but just set connection timeout without any other keywords.
03-06-2013 10:19 AM
Hello Andrew,
I got your question, but I think we might be confused here, I did not specify something after the timeout but when you configure it you will see you have the same options
Here is the configuration options on 8.2.5
ciscoasa(config-pmap-c)# set connection timeout ?
mpf-policy-map-class mode commands/options:
dcd Configure dead-connection-detection retry interval.
embryonic Configure absolute time after which an embryonic TCP connection
will be closed, default is 0:00:30.
half-closed Configure idle time after which a TCP half-closed connection
will be freed, default is 0:10:00
idle Configure idle time after which a connection state will be
closed.
Now on an ASA running 8.4.4(9)
WPLG-ASA-1(config-pmap-c)# set connection timeout ?
mpf-policy-map-class mode commands/options:
dcd Configure dead-connection-detection retry interval.
embryonic Configure absolute time after which an embryonic TCP connection
will be closed, default is 0:00:30.
half-closed Configure idle time after which a TCP half-closed connection
will be freed, default is 0:10:00
idle Configure idle time after which a connection state will be
closed.
So as you can see same options, no change at all
Hope that I could help
Remember to rate all of the helpful posts
03-06-2013 10:40 AM
I always thought that it was possible to generaly limit conn timeout for specific set of traffic (), but, as it turned out it can't be done. Interesting)
03-06-2013 11:33 AM
Hello Andrew,
yeahp
Regards
03-12-2013 04:39 AM
And back to the original question. Is there any way to monitor who is uploading or downloading?
I can monitor connection MBytes, but I cannot see which direction they are (upload or download).
Thanks
03-16-2013 01:37 PM
Hello,
Why dont you use Netflow on the ASA...
Of course you will need a software to be able to understand the netflow traffic from the ASA ( Records and templates), I would even recommend you to go with the PRTG software, a beauty that is for free ( just to 1 to 10 devices) and it will show you that stuff
Go ahead and get PRTG and enable SNMP on the ASA,
Cheers mate
Julio Carvajal Segura
Remember to rate all of the helpful posts
03-18-2013 12:53 AM
Thanks, ok I will try
03-18-2013 09:36 AM
Hey my pleasure,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide