10-12-2020 02:55 AM - edited 10-12-2020 06:14 AM
Hi,
I have an ASA 5516-X used to provide remote access VPN solution to clients. Since the outside interface is webvpn enabled I am trying to avoid DDOS attacks to the outside IP by restriction the number of tcp connection attempts to-the-box. I have used mpf to implement the following:
access-list limit-conn-outside extended permit ip any host (ASA outside interface IP)
class-map CMAP
match limit-conn-outside
policy-map PMAP
class CMAP
set connection conn-max 600 embryonic-conn-max 900 per-client-max 20 per-client-embryonic-max 30
service policy PMAP interface outside
However, In the "show service-policy interface outside" I am unable to see the current conn stats. Although the ASA currently has several webvpn connections to its outside IP address on port 443, the show command does not display the current number of conns at all. Which makes me this that the service policy is not working somehow.
Interface outside:
Service-policy: PMAP
Class-map: CMAP
Set connection policy: conn-max 600 embryonic-conn-max 900 per-client-max 20 per-client-embryonic-max 30
current embryonic conns 0, current conns 0, drop 0
Is there something I am missing from the config?
Solved! Go to Solution.
10-14-2020 05:10 AM
Update: Cisco ASA does not offer CPP (Control plane policing) therefore DDOS protection cannot be configured using the MPF method shown in the OP. That method is used to protect traffic traversing through the ASA and not to the ASA.
Thanks to Mohammed al Baqari for the insight.
10-12-2020 03:08 AM
As this match happens after NAT has taken place you need to specify the internal IPs or subnet in the ACL.
10-12-2020 03:51 AM
Hi Marius,
I'm trying to restrict inbound connections from external IPs to the ASA's outside Interface IP. As ASA is designated for Remote access VPNs no NAT is configured on it.
10-12-2020 03:55 AM
So you are trying to limit the number of remote access VPN users that connect to the ASA?
10-12-2020 04:49 AM - edited 10-12-2020 06:16 AM
Not really the number of users as that is dictates by the licence but the number of active connections to-the-box. As from what I've researched a successful remote access VPN connection will create only create 2 connections i.e. 1x TCP(TLS) and 1x UDP(DTLS) to the ASA's outside interface IP. And since my ASA is not used for anything else apart from remote access VPN, I want to only allow a restricted number of inbound to-the-box connections in an attempt to avoid DDOS attacks. For example, someone trying to DDOS by brute forcing authentication on the webvpn login page using random username and passwords.
Hope that makes sense.
10-14-2020 05:10 AM
Update: Cisco ASA does not offer CPP (Control plane policing) therefore DDOS protection cannot be configured using the MPF method shown in the OP. That method is used to protect traffic traversing through the ASA and not to the ASA.
Thanks to Mohammed al Baqari for the insight.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide