Firewall Security

Cisco ASA Embryonic TCP connection and per client connection limits config example.

We can configure ASA firewall to protect internal server from DoS attacks by limiting maximum number of embryonic TCP connections and also limiting number of connections per host at a given time.

Example below is
To Protect webserver 1.1.1.1 by limiting maximum number of embryonic tcp connections to 100 and also by limiting
to only 10 connections from a single host at a given time.

Step1: Create an ACL and class-map

ASA(config)# access-list conn-limit-acl extended permit tcp any host 1.1.1.1 eq 80
ASA(config)# access-list conn-limit-acl extended permit tcp any host 1.1.1.1 eq 443

ASA(config)# class-map conn-limit-class
ASA(config-cmap)# match access-list conn-limit-acl

Step2: Apply the class-map to a policy-map

ASA(config)# policy-map conn-limit-policy
ASA(config-pmap)# class conn-limit-class
ASA(config-pmap)# set connection embryonic-conn-max 100 per-client-max 10

Step3: Apply the Policy on one or more interfaces or Globally

ASA(config)# service-policy conn-limit-policy {global | interface <interface_name>}

————————-

!Other available options

———————————————————-

Related posts:

1. Cisco Zone Based Firewall (ZBF) config quick reference.
2. How to check the limitation of your Netscreen Firewall
3. Configuring Authentication Proxy on Cisco Routers.
4. Reset Nokia Firewall to factory default by deleting /config/active file.
5. Cisco ASA troubleshooting Commands

© 2010 Information Security Tips.