Hi,

this solution is for the entire subnet, but I want to limit the maximun number of simultaneous connections per each IP of this subnet. It is possible?.

Thanks!

If you want to limit the maximun number of simultaneous connections for one IP, just limit the static to one host. I suspect the verbage was generic when drafted, hence the word subnet.

Hi .. can you actually confirm this does not limit the amount of connections for the entire subnet .. I have been wondering about this for a while ..

" max_conns Specifies the maximum number of simultaneous TCP and UDP connections for the

entire subnet. The default is 0, which means unlimited connections. (Idle

connections are closed after the idle timeout specified by the timeout conn

command.)

Note This option does not apply to outside NAT. The firewall only tracks

connections from a higher security interface to a lower security interface. If

you set max_conns for outside NAT, the max_conns option is ignored. "

Hello,

I dug around internally and it appears this limit should be for the number of sessions from one source address if a netmask of 255.255.255.255 is used.

Both NAT and STATIC have this option.

From the FWSM command reference:

the static command:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_3_1/fwsm_ref/s8.htm#wp2678544

the nat command:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_3_1/fwsm_ref/no.htm#wp1585941

Hope this helps! If so, please rate. Also, if you test, please respond with results.

Thanks!

OK .. so it means that the connection limit applies depending on the subnet mask been used on the static or nat command.

For example is used 255.255.255.255 on the static / nat command then the connection limit applied to simulraneous connections from one host.

if the subnet mask is 255.255.255.0 on the static / nat then the connection limit will apply to the whole subnet /24.

Thanks !!!