cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Limit managment sessions on Cisco ASA.docx

255
Views
0
Helpful
0
Comments

How to limit the number of management sessions to Cisco ASA ?

This could be done using the MPF architecture of Cisco ASA. From Cisco ASA software release 8.0 onwards, the "set connection" option is introduced to control the number of management traffic flows to Cisco ASA. In this document, it is shown on how to specify the maximum number for telnet sessions.

  • Identify the traffic as telnet and associate this with "class-map type management" command.

  • Specify the maximum telnet connection limit as one, using the policy-map command.
  • Apply the actions on the inside interface using the service-policy command.


Configuration:

In the below shown configuration snippet, it is shown on how to use the MPF to limit the number of telnet sessions to only one.

class-map type management MGMT_CMAP

match port tcp eq telnet

!

policy-map MGMT_PMAP

class MGMT_CMAP

  set connection conn-max 1

!

service-policy MGMT_PMAP interface inside

Verify:

When you try multiple simultaneous telnet sessions to the Cisco ASA, only one session will work fine and the other session will be dropped by Cisco ASA. This could be verified using the following commands.

ciscoasa(config)# show service-policy

Interface inside:

  Service-policy: MGMT_PMAP

    Class-map: MGMT_CMAP

      Set connection policy: conn-max 1

        current conns 1, drop 3

ciscoasa(config)# show service-policy flow tcp host 10.10.10.2 host 10.10.10.10 eq 23

Interface inside:

  Service-policy: MGMT_PMAP

    Class-map: MGMT_CMAP

      Match: port tcp eq telnet

      Action:

        Input flow:  set connection conn-max 1

Note: 10.10.10.10 is the inside IP address of Cisco ASA.