MPF configuration..

Unanswered Question
Aug 6th, 2008

Hi,

In MPF how many service-policy I can configure per interface.Please find theconfiguration in my ASA..

class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

drop-connection

policy-map IM_BLOCK

class imblock

inspect im impolicy

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

service-policy IM_BLOCK interface outside

I want to add one more modular policy to prevent TCP SYN attack.Please find the configuration..

#class-map tcp_syn

#match port tcp eq 80

#exit

#policy-map tcpmap

#class tcp_syn

#set connection conn-max 100

#set connection embryonic-conn-max 200

#set connection per-client-embryonic-max 10

#set connection per-client-max 5

#set connection timeout embryonic 0:0:45

#set connection timeout half-closed 0:25:0

#set connection timeout tcp 2:0:0

#exit

#service-policy tcpmap global

** Shall I add the above configuration in my ASA?How many service policy I can assign in global interface.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
dhananjoy chowdhury Wed, 08/06/2008 - 21:23

Hi,

You can apply only one Global policy, which will do inspection on all interfaces.

You can either modify the global policy or create your own policy and apply globally or to one or more interfaces.

somnath21 Wed, 08/06/2008 - 21:35

Thanks!!

Can I do like this..

Configure a separate class-map (tcp_syn) and add it under the policy-map global_policy (default).

class-map tcp_syn

match port tcp eq 80

policy-map global_policy

class tcp_syn

set connection conn-max 100

set connection embryonic-conn-max 200

set connection per-client-max 5

set connection timeout embryonic 0:0:45

set connection timeout tcp 2:0:0

service-policy tcpmap global

Please assist..

Marwan ALshawi Wed, 08/06/2008 - 21:41

u cam have one global policy

and on policy per interface

the interface policy override the glbal one if overlaped

in ur question the conifg ok

but i see u put ur config under the default global policy

why u applying another on??

once u put the config under the global_policy which is the defaul one it will be automaticly applied globaly

good luck

please if helpful rate

dhananjoy chowdhury Wed, 08/06/2008 - 21:52

Yes you can add new class-map.

But don't add this "service-policy tcpmap global"

You can have only one policy in the global.

service-policy global_policy global

somnath21 Wed, 08/06/2008 - 22:07

Please find my configuration...

Lines started with * are newly added.

class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

*class-map tcp_syn

*match port tcp eq 80

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

drop-connection

policy-map IM_BLOCK

class imblock

inspect im impolicy

policy-map global_policy

class inspection_default

*class-map tcp_syn

*set connection conn-max 100

*set connection embryonic-conn-max 200

*set connection per-client-embryonic-max 10

*set connection per-client-max 5

*set connection random-sequence-number enable

*set connection timeout embryonic 0:0:45

*set connection timeout half-closed 0:25:0

*set connection timeout tcp 2:0:0

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

service-policy IM_BLOCK interface outside

It's ok na??

dhananjoy chowdhury Wed, 08/06/2008 - 22:36

this seems ok.

Just for confirmation can you post the last part of the running-config

- starting from " policy-map global_policy"

till the statement "service-policy IM_BLOCK interface outside "

somnath21 Wed, 08/06/2008 - 22:47

My current MPF configuration..

class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

drop-connection

policy-map IM_BLOCK

class imblock

inspect im impolicy

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

service-policy IM_BLOCK interface outside

I want to add (*) these lines..

*class-map tcp_syn

*match port tcp eq 80

policy-map global_policy

class inspection_default

*class-map tcp_syn

*set connection conn-max 300

*set connection embryonic-conn-max 400

*set connection per-client-embryonic-max 10

*set connection per-client-max 15

*set connection random-sequence-number enable

*set connection timeout embryonic 0:0:45

*set connection timeout half-closed 0:25:0

*set connection timeout tcp 2:0:0

dhananjoy chowdhury Wed, 08/06/2008 - 23:05

Hi Somnath,

Do it like this..

myPIX(config)# class-map tcp_syn

myPIX(config-cmap)# match port tcp eq 80

myPIX(config-cmap)# exit

myPIX(config)# policy-map global_policy

pixfirewall(config-pmap)# class tcp_syn

pixfirewall(config-pmap-c)# set connection conn-max 100

..... and so on....

somnath21 Wed, 08/06/2008 - 23:17

Hi,

One more help,If I configure like the above one it will be applicable for only port 80.

I want to connection limit for all traffic.

The below configuration is ok or not?

myPIX(config)# class-map tcp_syn

myPIX(config-cmap)# match any

myPIX(config-cmap)# exit

policy-map global_policy

class inspection_default

*class-map tcp_syn

*set connection conn-max 700

*set connection embryonic-conn-max 1200

*set connection per-client-embryonic-max 20

*set connection per-client-max 10

*set connection random-sequence-number enable

*set connection timeout embryonic 0:0:45

*set connection timeout half-closed 0:25:0

*set connection timeout tcp 2:0:0

The parameter mentioned above like

conn-max 700,

embryonic-conn-max 1200,

per-client-embryonic-max 20,

per-client-max 10

are ok or not?

dhananjoy chowdhury Wed, 08/06/2008 - 23:35

Only a small change....

policy-map global_policy

class tcp_syn

set connection conn-max 700

..... and so on.

If you do as per below your purpose is not solved.

policy-map global_policy

class inspection_default

class-map tcp_syn

set connection conn-max 700

.......

somnath21 Wed, 08/06/2008 - 23:58

I want to configure that one to prevent Dos attack (TCP SYN).

Is it possible by limiting port 80 traffic or I have to go for any.

somnath21 Thu, 08/07/2008 - 03:11

sorry one more confusion..

if I configure like that then it will be applicable for all traffic or individual.

I want to meant it will limit total connection to 900 or each connection (FTP-900,HTTP-900 like that

) to 900.

class-map tcp_syn

match any

policy-map global_policy

class inspection_default

class tcp_syn

set connection conn-max 900

set connection embryonic-conn-max 300

set connection per-client-embryonic-max 10

Marwan ALshawi Thu, 08/07/2008 - 03:21

because in ur class-map

u have match any

then this will consider the total amount of connections as 900

if u want to restrect only one typ lets say http

do :

access-list 100 permit tcp [source IPs] [netmask] [any or destination IP with mask] eq 80

access-list 100 permit tcp [source IPs] [netmask] [any or destination IP with mask] eq 443

then

make new class

class-map http-map

match access-group 100

then

apply it the same way u have don above

Actions

This Discussion