access-list synattack extended permit tcp any any

class-map synattack
match access-list synattack

policy-map synattack
class synattack
set connection embryonic-conn-max 50

service-policy synattack interface inside

I've applied this on inside interface as it is not getting applied globally.

Hello,

 

The config here looks good and should work on global basis as well. Unless, we have some part of global config not letting the the conn-max config take over. Can you please share the global policy map output as well. Hide if there is any sensitive info.

 

Regards,

 

AJ

The default mpf has been applied globally

class-map inspection_default
match default-inspection-traffic

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp

service-policy global_policy global

I tried to include the command " set connection embryonic-conn-max 50" in
this default mpf.
but it did'nt sync in, it just omitted the command and said only inspect
commands allowed.

Viplove R

Hello,

 

So, for the connection limit, you would need a separate class-map to be called under the global policy. Something like:

 

access-list synattack extended permit tcp any any

 

class-map synattack
match access-list synattack

 

policy-map global_policy
class inspection_default
 inspect ftp
 **

 **

class synattack

 set connection embryonic-conn-max 50

 

 

service-policy global_policy global

 

and remove the policy from inside interface. It should now work on global level.

 

 

HTH,

AJ