MPF configuration..

Unanswered Question
Aug 6th, 2008
User Badges:

Hi,


In MPF how many service-policy I can configure per interface.Please find theconfiguration in my ASA..

class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

drop-connection

policy-map IM_BLOCK

class imblock

inspect im impolicy

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

service-policy IM_BLOCK interface outside


I want to add one more modular policy to prevent TCP SYN attack.Please find the configuration..


#class-map tcp_syn

#match port tcp eq 80

#exit

#policy-map tcpmap

#class tcp_syn

#set connection conn-max 100

#set connection embryonic-conn-max 200

#set connection per-client-embryonic-max 10

#set connection per-client-max 5

#set connection timeout embryonic 0:0:45

#set connection timeout half-closed 0:25:0

#set connection timeout tcp 2:0:0

#exit

#service-policy tcpmap global

** Shall I add the above configuration in my ASA?How many service policy I can assign in global interface.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
dhananjoy chowdhury Wed, 08/06/2008 - 21:23
User Badges:
  • Silver, 250 points or more

Hi,

You can apply only one Global policy, which will do inspection on all interfaces.

You can either modify the global policy or create your own policy and apply globally or to one or more interfaces.

somnath21 Wed, 08/06/2008 - 21:35
User Badges:

Thanks!!


Can I do like this..


Configure a separate class-map (tcp_syn) and add it under the policy-map global_policy (default).


class-map tcp_syn

match port tcp eq 80


policy-map global_policy

class tcp_syn

set connection conn-max 100

set connection embryonic-conn-max 200

set connection per-client-max 5

set connection timeout embryonic 0:0:45

set connection timeout tcp 2:0:0


service-policy tcpmap global


Please assist..

Marwan ALshawi Wed, 08/06/2008 - 21:41
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

u cam have one global policy

and on policy per interface

the interface policy override the glbal one if overlaped

in ur question the conifg ok

but i see u put ur config under the default global policy

why u applying another on??

once u put the config under the global_policy which is the defaul one it will be automaticly applied globaly


good luck


please if helpful rate

dhananjoy chowdhury Wed, 08/06/2008 - 21:52
User Badges:
  • Silver, 250 points or more

Yes you can add new class-map.


But don't add this "service-policy tcpmap global"


You can have only one policy in the global.


service-policy global_policy global


somnath21 Wed, 08/06/2008 - 22:07
User Badges:

Please find my configuration...

Lines started with * are newly added.


class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

*class-map tcp_syn

*match port tcp eq 80

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

drop-connection

policy-map IM_BLOCK

class imblock

inspect im impolicy

policy-map global_policy

class inspection_default

*class-map tcp_syn

*set connection conn-max 100

*set connection embryonic-conn-max 200

*set connection per-client-embryonic-max 10

*set connection per-client-max 5

*set connection random-sequence-number enable

*set connection timeout embryonic 0:0:45

*set connection timeout half-closed 0:25:0

*set connection timeout tcp 2:0:0

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

service-policy IM_BLOCK interface outside


It's ok na??

Marwan ALshawi Wed, 08/06/2008 - 22:35
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

sounds good

i mean the polices application

good luck

dhananjoy chowdhury Wed, 08/06/2008 - 22:36
User Badges:
  • Silver, 250 points or more

this seems ok.


Just for confirmation can you post the last part of the running-config

- starting from " policy-map global_policy"

till the statement "service-policy IM_BLOCK interface outside "

somnath21 Wed, 08/06/2008 - 22:47
User Badges:

My current MPF configuration..


class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

drop-connection

policy-map IM_BLOCK

class imblock

inspect im impolicy

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

service-policy IM_BLOCK interface outside


I want to add (*) these lines..


*class-map tcp_syn

*match port tcp eq 80


policy-map global_policy

class inspection_default

*class-map tcp_syn

*set connection conn-max 300

*set connection embryonic-conn-max 400

*set connection per-client-embryonic-max 10

*set connection per-client-max 15

*set connection random-sequence-number enable

*set connection timeout embryonic 0:0:45

*set connection timeout half-closed 0:25:0

*set connection timeout tcp 2:0:0



dhananjoy chowdhury Wed, 08/06/2008 - 23:05
User Badges:
  • Silver, 250 points or more

Hi Somnath,

Do it like this..


myPIX(config)# class-map tcp_syn

myPIX(config-cmap)# match port tcp eq 80

myPIX(config-cmap)# exit


myPIX(config)# policy-map global_policy

pixfirewall(config-pmap)# class tcp_syn

pixfirewall(config-pmap-c)# set connection conn-max 100

..... and so on....


somnath21 Wed, 08/06/2008 - 23:17
User Badges:

Hi,

One more help,If I configure like the above one it will be applicable for only port 80.

I want to connection limit for all traffic.

The below configuration is ok or not?


myPIX(config)# class-map tcp_syn

myPIX(config-cmap)# match any

myPIX(config-cmap)# exit


policy-map global_policy

class inspection_default

*class-map tcp_syn

*set connection conn-max 700

*set connection embryonic-conn-max 1200

*set connection per-client-embryonic-max 20

*set connection per-client-max 10

*set connection random-sequence-number enable

*set connection timeout embryonic 0:0:45

*set connection timeout half-closed 0:25:0

*set connection timeout tcp 2:0:0


The parameter mentioned above like

conn-max 700,

embryonic-conn-max 1200,

per-client-embryonic-max 20,

per-client-max 10


are ok or not?




dhananjoy chowdhury Wed, 08/06/2008 - 23:35
User Badges:
  • Silver, 250 points or more

Only a small change....


policy-map global_policy

class tcp_syn

set connection conn-max 700

..... and so on.


If you do as per below your purpose is not solved.


policy-map global_policy

class inspection_default

class-map tcp_syn

set connection conn-max 700

.......




somnath21 Wed, 08/06/2008 - 23:58
User Badges:

I want to configure that one to prevent Dos attack (TCP SYN).

Is it possible by limiting port 80 traffic or I have to go for any.

somnath21 Thu, 08/07/2008 - 03:11
User Badges:

sorry one more confusion..

if I configure like that then it will be applicable for all traffic or individual.

I want to meant it will limit total connection to 900 or each connection (FTP-900,HTTP-900 like that

) to 900.

class-map tcp_syn

match any

policy-map global_policy

class inspection_default

class tcp_syn

set connection conn-max 900

set connection embryonic-conn-max 300

set connection per-client-embryonic-max 10




Marwan ALshawi Thu, 08/07/2008 - 03:21
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

because in ur class-map

u have match any

then this will consider the total amount of connections as 900


if u want to restrect only one typ lets say http


do :


access-list 100 permit tcp [source IPs] [netmask] [any or destination IP with mask] eq 80


access-list 100 permit tcp [source IPs] [netmask] [any or destination IP with mask] eq 443


then

make new class

class-map http-map

match access-group 100


then

apply it the same way u have don above


Actions

This Discussion