cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
796
Views
0
Helpful
5
Replies

TCP Intercept is not getting applied globally

viplove
Level 1
Level 1

Hii

 

My company recently bought a USM which has been flooding my firewall with syn packets.

Now as a solution i've applied tcp intercept but it is not getting applied globally.

Temporarily i've applied it on inside interface which is pretty much helpful.

I'm using version asa 9.7 and asdm 7.7.

 

Please suggest what could be the issue.

 

5 Replies 5

Ajay Saini
Level 7
Level 7

Hello,

 

The Interface based policy would take preference over global policy. Nevertheless, the global policy should work as well if there is no override or overlaps. Can you paste your MPF config section from show run output. Also, please specify what is the requirement.

 

Regards,

 

AJ

access-list synattack extended permit tcp any any

class-map synattack
match access-list synattack

policy-map synattack
class synattack
set connection embryonic-conn-max 50

service-policy synattack interface inside

I've applied this on inside interface as it is not getting applied globally.

Hello,

 

The config here looks good and should work on global basis as well. Unless, we have some part of global config not letting the the conn-max config take over. Can you please share the global policy map output as well. Hide if there is any sensitive info.

 

Regards,

 

AJ

The default mpf has been applied globally

class-map inspection_default
match default-inspection-traffic

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp

service-policy global_policy global

I tried to include the command " set connection embryonic-conn-max 50" in
this default mpf.
but it did'nt sync in, it just omitted the command and said only inspect
commands allowed.

Viplove R

Hello,

 

So, for the connection limit, you would need a separate class-map to be called under the global policy. Something like:

 

access-list synattack extended permit tcp any any

 

class-map synattack
match access-list synattack

 

policy-map global_policy
class inspection_default
 inspect ftp
 **

 **

class synattack

 set connection embryonic-conn-max 50

 

 

service-policy global_policy global

 

and remove the policy from inside interface. It should now work on global level.

 

 

HTH,

AJ

Review Cisco Networking for a $25 gift card