Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2620
Views
0
Helpful
5
Replies

Securing ASA outside Interface by restricting tcp connections to outside IP

Go to solution
Jay47110
Level 1
Level 1

‎10-12-2020 02:55 AM - edited ‎10-12-2020 06:14 AM

Hi,

 

I have an ASA 5516-X used to provide remote access VPN solution to clients. Since the outside interface is webvpn enabled I  am trying to avoid DDOS attacks to the outside IP by restriction the number of tcp connection attempts to-the-box. I have used mpf to implement the following:

access-list limit-conn-outside extended permit ip any host (ASA outside interface IP)

 

class-map CMAP

match limit-conn-outside

 

policy-map PMAP

class CMAP

set connection conn-max 600 embryonic-conn-max 900 per-client-max 20 per-client-embryonic-max 30 

 

service policy PMAP interface outside

 

However, In the "show service-policy interface outside" I am unable to see the current conn stats. Although the ASA currently has several webvpn connections to its outside IP address on port 443, the show command does not display the current number of conns at all. Which makes me this that the service policy is not working somehow.

Interface outside:
Service-policy: PMAP
Class-map: CMAP
Set connection policy: conn-max 600 embryonic-conn-max 900 per-client-max 20 per-client-embryonic-max 30
current embryonic conns 0, current conns 0, drop 0

 

Is there something I am missing from the config?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jay47110
Level 1
Level 1

‎10-14-2020 05:10 AM

Update: Cisco ASA does not offer CPP (Control plane policing) therefore DDOS protection cannot be configured using the MPF method shown in the OP. That method is used to protect traffic traversing through the ASA and not to the ASA.

Thanks to for the insight.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marius Gunnerud
VIP
VIP

‎10-12-2020 03:08 AM

As this match happens after NAT has taken place you need to specify the internal IPs or subnet in the ACL.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Jay47110
Level 1
Level 1
In response to Marius Gunnerud

‎10-12-2020 03:51 AM

Hi Marius,

 

I'm trying to restrict inbound connections from external IPs to the ASA's outside Interface IP. As ASA is designated for Remote access VPNs no NAT is configured on it.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Jay47110

‎10-12-2020 03:55 AM

So you are trying to limit the number of remote access VPN users that connect to the ASA? 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Jay47110
Level 1
Level 1
In response to Marius Gunnerud

‎10-12-2020 04:49 AM - edited ‎10-12-2020 06:16 AM

Not really the number of users as that is dictates by the licence but the number of active connections to-the-box. As from what I've researched a successful remote access VPN connection will create only create 2 connections i.e. 1x TCP(TLS) and 1x UDP(DTLS) to the ASA's outside interface IP. And since my ASA is not used for anything else apart from remote access VPN, I want to only allow a restricted number of inbound to-the-box connections in an attempt to avoid DDOS attacks. For example, someone trying to DDOS by brute forcing authentication on the webvpn login page using random username and passwords.

 

Hope that makes sense.

0 Helpful

Go to solution
Jay47110
Level 1
Level 1

‎10-14-2020 05:10 AM

Update: Cisco ASA does not offer CPP (Control plane policing) therefore DDOS protection cannot be configured using the MPF method shown in the OP. That method is used to protect traffic traversing through the ASA and not to the ASA.

Thanks to for the insight.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card