Rate-Limit number of connections from a source

Unanswered Question
Aug 4th, 2007
User Badges:

Hi, we currently have an application thatcustomers connect to in order to sent bulk sms messages. Since application level cannot enforce max number of connection per client, I was wondering if there is a way to do it using PIX 7.x.

For example we may need to enforce that customer X can open 10 connections to application while customer Y can open 5 connections to the application.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
pavlosd Sat, 08/04/2007 - 06:37
User Badges:

Hi again,

I Just realise that there is a conn-max command under policy-map for actions....

fw(config-pmap-c)# set connection ?

mpf-policy-map-class mode commands/options:

advanced-options Configure advanced connection parameters

conn-max Keyword to set the maximum number of all simultaneous

connections that are allowed. Default is 0 which

means unlimited connections.

embryonic-conn-max Keyword to set the maximum number of TCP embryonic

connections that are allowed. Default is 0 which

means unlimited connections.

random-sequence-number Enable/disable TCP sequence number randomization.

Default is to enable TCP sequence number


timeout Configure connection timeout parameters

So what i did is created a class-map for each customer and under policy-map set the number of connections.


purohit_810 Sat, 08/04/2007 - 08:45
User Badges:
  • Silver, 250 points or more

access-list tcp_inspection extended permit tcp any any

access-list tcp_inspection extended deny ip any any

class-map my_inspection_tcp

match access-list tcp_inspection

policy-map global_policy

class my_inspection_tcp

set connection embryonic-conn-max 1

service-policy global_policy global

If in case above will not Wok properly than second option is websense authentication.

Define on wesense One Group, Put all are IP adress that uses by CuSTomer. Define that group MAX connection.

You can also define On websense .. Maximu time of access, amount of Access Limit etc.


Dharmesh Purohit


This Discussion