Re: MPF configuration..

somnath21 · ‎08-06-2008

Hi,

In MPF how many service-policy I can configure per interface.Please find theconfiguration in my ASA..

class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

drop-connection

policy-map IM_BLOCK

class imblock

inspect im impolicy

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

service-policy IM_BLOCK interface outside

I want to add one more modular policy to prevent TCP SYN attack.Please find the configuration..

#class-map tcp_syn

#match port tcp eq 80

#exit

#policy-map tcpmap

#class tcp_syn

#set connection conn-max 100

#set connection embryonic-conn-max 200

#set connection per-client-embryonic-max 10

#set connection per-client-max 5

#set connection timeout embryonic 0:0:45

#set connection timeout half-closed 0:25:0

#set connection timeout tcp 2:0:0

#exit

#service-policy tcpmap global

** Shall I add the above configuration in my ASA?How many service policy I can assign in global interface.

dhananjoy chowdhury · ‎08-06-2008

Hi,

You can apply only one Global policy, which will do inspection on all interfaces.

You can either modify the global policy or create your own policy and apply globally or to one or more interfaces.

somnath21 · ‎08-06-2008

Thanks!!

Can I do like this..

Configure a separate class-map (tcp_syn) and add it under the policy-map global_policy (default).

class-map tcp_syn

match port tcp eq 80

policy-map global_policy

class tcp_syn

set connection conn-max 100

set connection embryonic-conn-max 200

set connection per-client-max 5

set connection timeout embryonic 0:0:45

set connection timeout tcp 2:0:0

service-policy tcpmap global

Please assist..

Marwan ALshawi · ‎08-06-2008

u cam have one global policy

and on policy per interface

the interface policy override the glbal one if overlaped

in ur question the conifg ok

but i see u put ur config under the default global policy

why u applying another on??

once u put the config under the global_policy which is the defaul one it will be automaticly applied globaly

good luck

please if helpful rate

dhananjoy chowdhury · ‎08-06-2008

Yes you can add new class-map.

But don't add this "service-policy tcpmap global"

You can have only one policy in the global.

service-policy global_policy global

somnath21 · ‎08-06-2008

Please find my configuration...

Lines started with * are newly added.

class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

*class-map tcp_syn

*match port tcp eq 80

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

drop-connection

policy-map IM_BLOCK

class imblock

inspect im impolicy

policy-map global_policy

class inspection_default

*class-map tcp_syn

*set connection conn-max 100

*set connection embryonic-conn-max 200

*set connection per-client-embryonic-max 10

*set connection per-client-max 5

*set connection random-sequence-number enable

*set connection timeout embryonic 0:0:45

*set connection timeout half-closed 0:25:0

*set connection timeout tcp 2:0:0

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

service-policy IM_BLOCK interface outside

It's ok na??

Marwan ALshawi · ‎08-06-2008

sounds good

i mean the polices application

good luck

dhananjoy chowdhury · ‎08-06-2008

this seems ok.

Just for confirmation can you post the last part of the running-config

- starting from " policy-map global_policy"

till the statement "service-policy IM_BLOCK interface outside "

somnath21 · ‎08-06-2008

My current MPF configuration..

class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

drop-connection

policy-map IM_BLOCK

class imblock

inspect im impolicy

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

service-policy IM_BLOCK interface outside

I want to add (*) these lines..

*class-map tcp_syn

*match port tcp eq 80

policy-map global_policy

class inspection_default

*class-map tcp_syn

*set connection conn-max 300

*set connection embryonic-conn-max 400

*set connection per-client-embryonic-max 10

*set connection per-client-max 15

*set connection random-sequence-number enable

*set connection timeout embryonic 0:0:45

*set connection timeout half-closed 0:25:0

*set connection timeout tcp 2:0:0

dhananjoy chowdhury · ‎08-06-2008

Hi Somnath,

Do it like this..

myPIX(config)# class-map tcp_syn

myPIX(config-cmap)# match port tcp eq 80

myPIX(config-cmap)# exit

myPIX(config)# policy-map global_policy

pixfirewall(config-pmap)# class tcp_syn

pixfirewall(config-pmap-c)# set connection conn-max 100

..... and so on....

somnath21 · ‎08-06-2008

Hi,

One more help,If I configure like the above one it will be applicable for only port 80.

I want to connection limit for all traffic.

The below configuration is ok or not?

myPIX(config)# class-map tcp_syn

myPIX(config-cmap)# match any

myPIX(config-cmap)# exit

policy-map global_policy

class inspection_default

*class-map tcp_syn

*set connection conn-max 700

*set connection embryonic-conn-max 1200

*set connection per-client-embryonic-max 20

*set connection per-client-max 10

*set connection random-sequence-number enable

*set connection timeout embryonic 0:0:45

*set connection timeout half-closed 0:25:0

*set connection timeout tcp 2:0:0

The parameter mentioned above like

conn-max 700,

embryonic-conn-max 1200,

per-client-embryonic-max 20,

per-client-max 10

are ok or not?

dhananjoy chowdhury · ‎08-06-2008

Only a small change....

policy-map global_policy

class tcp_syn

set connection conn-max 700

..... and so on.

If you do as per below your purpose is not solved.

policy-map global_policy

class inspection_default

class-map tcp_syn

set connection conn-max 700

.......

somnath21 · ‎08-06-2008

I want to configure that one to prevent Dos attack (TCP SYN).

Is it possible by limiting port 80 traffic or I have to go for any.

dhananjoy chowdhury · ‎08-07-2008

yes, do match any

somnath21 · ‎08-07-2008

Thanks! I got it.