Limit the number of new connection/sec?

jalm · ‎11-23-2006

Hello,

i have a pix 525 with several vlans. Some are public, others are private (NAT) networks. I'm having problems with my ISP dropping the connection because some of my clients are opening too much new connections/sec. Can the PIX throttle this connections? Or just set a max limit for connection to the outside per client? I don't want to set any kind of limit in the local connections. The PIX is in routed mode and is the center of the network (the network is some kind of a star), so all the routing is done on the PIX.

Thanks for any kind of help,

Regards.

a.kiprawih · ‎11-23-2006

You can limit the max connection from host or subnet in you nat (pair with global) config, as follow:

nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]

The 'tcp tcp_max_conns' or 'udp tcp_max_conns' will set the maximum number of simultaneous TCP connections for the entire subnet.

hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30

hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0 1000 0

where 1000 is the max tcp/udp connection can be initiated from 10.1.10 to internet

Refer to the following link for more detail:

http://www.cisco.com/en/US/customer/products/ps6120/products_command_reference_chapter09186a008063f0f7.html#wp1652607

HTH

AK

jalm · ‎11-29-2006

Doesn't that config limit the connection for all the subnet? If i limit the connections to 1000, and i have 10 clients, with that config is possible to 1 client have 900conns and all the others just 100. Or am i wrong?