set connection limit for IP or Access list

jirikarpisek · ‎03-31-2016

I have CISCO2911/K9 with firmware version flash0:c2900-universalk9-mz.SPA.152-4.M3.bin.
I am trying to limit maximum simultaneous connections from host or ACL list to my SMTP server.
I tried to add "ip nat translation max-entries list smtp_server 2" but it does not work, I can start more than two connections
nat-limit statistics:
acl smtp_server: max allowed 2, used 0, missed 0 Queued Packets: 0

I cant not limit whole 101 ACL, because there is another trafic and connections

Is there any posibility to limit it? I found guide to limiting session on ASA http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html, but my Cisco router does not know command "set connection conn-max"

Below is my truncated startup-config.

WAN Port
!
interface GigabitEthernet0/0
ip address 98.99.100.131 255.255.255.240
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_1
service-policy input sdmappfwp2p_SDM_LOW
service-policy output sdmappfwp2p_SDM_LOW
!
LAN Port
interface Vlan1
ip address 192.168.15.253 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
NAT
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.15.28 98.99.100.136 route-map smtp_server
ip route 0.0.0.0 0.0.0.0 98.99.100.129

Access-lists with fake IP
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 15.121.132.56 0.0.0.7 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny tcp 192.168.15.96 0.0.0.31 any eq smtp
access-list 100 permit ip any any
access-list 100 permit udp any any
access-list 100 permit icmp any any

access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host 98.99.100.136 eq smtp
access-list 101 permit tcp any host 98.99.100.136 eq 443
access-list 101 remark SMTP
access-list 101 permit tcp any eq smtp host 98.99.100.136 eq smtp
access-list 101 permit icmp any host 98.99.100.131
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.15.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 permit ip any host 98.99.100.134
access-list 101 deny ip any any log

access-list 104 remark SDM_ACL Category=2
access-list 104 deny tcp host 192.168.15.28 eq 443 any
access-list 104 deny tcp host 192.168.15.28 eq smtp any
access-list 104 deny tcp host 192.168.15.28 any

access-list 165 deny ip host 192.168.15.28 172.16.10.0 0.0.0.255
access-list 165 deny ip host 192.168.15.28 172.16.96.0 0.0.0.255
access-list 165 deny ip host 192.168.15.28 10.2.0.0 0.0.255.255
access-list 165 permit ip host 192.168.15.28 any

access-list 167 deny ip host 192.168.15.28 172.16.96.0 0.0.0.255
access-list 167 permit tcp host 192.168.15.28 eq 443 any

access-list 168 remark SDM_ACL Category=2
access-list 168 deny ip host 192.168.15.28 172.16.96.0 0.0.0.255
access-list 168 permit tcp host 192.168.15.28 eq smtp any

!
route-map smtp_server permit 10
match ip address 165
!
route-map smtp_server permit 20
match ip address 167
!
route-map smtp_server permit 21
match ip address 168
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!

end

Tagir Temirgaliyev · ‎03-31-2016

ASA can limit number of connections but not router