Re: limit # of connection on PIX

alian-sam · ‎05-26-2004

Is there a way on pix firewall to limit the # of connections per ip address (private ip address)?

once i have an infected laptop with a worm (w32 blaster kind) and it was scanning ip addresses and sending huge number of connections to the firewall , the firewall connection was all consumed and no one was able to get out for internet access.(DoS attack).

is there a way to solve this problem , i was thinking if the pix firewall has that feature , so we can limit the # of connections for each internal ip address.

Thanks

vkapoor5 · ‎06-01-2004

On a Cisco router, CBAC or TCP intercept feature can prevent this kind of attack. I am sure PIX also will have some kind of protection against these kind of attacks. The "embryonic limit" options in the static command define how many connections each ip address can have. More information can be found in the PIX configuration guide.

cmezzatesta · ‎07-08-2004

I had the same problem.

Did you find a solution?

Graziano

autopilot · ‎07-08-2004

in static and nat commands there are arguments which can limit number of connections (both established and embryonic)

example:

static (outside,inside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255 1000 50

shannong · ‎07-08-2004

When using the max connections with a nat command, it will apply to the entire address space using the nat group. The embrionic connections will apply per-host. Those exceeding the number of embrionic connections will b handled by tcp-intercept.