Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
188
Views
0
Helpful
1
Replies

TCP connection limit

S891
Level 2
Level 2

‎06-09-2015 11:20 AM - edited ‎03-11-2019 11:04 PM

Hi,

I would like to limit scanning and syn flooding on ASA. I am thinking I can restrict any outside host to only be able to initiate maximum 500 tcp connections total to inside host at a given time it would help prevent syn flood and port scan attacks. 
 
Anyone else done this so please share config. Any other suggestion for scanning and syn-flood attack prevention?
 
Thanks

 

Labels:
0 Helpful
1 Reply 1

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎06-10-2015 02:27 AM

Hi,

You can refer to this document for the complete configuration that you would need:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/protect.html

You need to use the "per-client-max n" value set to 500

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html#pgfId-1627430

Example configuration:-

 

hostname(config)# class-map CONNS

hostname(config-cmap)# match any

hostname(config-cmap)# policy-map CONNS

hostname(config-pmap)# class CONNS

hostname(config-pmap-c)# set connection per-client-max 500

hostname(config-pmap-c)# service-policy CONNS interface outside

NOTE:- Match the specific traffic that you want to match this limit restriction onto.

Thanks and Regards,

Vibhor Amrodia

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card