Mitigating syn attack on asa 5520

Unanswered Question
Apr 13th, 2012
User Badges:


im using a cisco 5520 with 8.4, i try to test my appliance with a syn attack on my published server behind my asa on port 80 and this really really put out of the game my firewall.

i used hping security test tool with this commaband .hping -i u1 -S -p 80

So can someone tell me how toprevent this attacks on my firewall.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Julio Carvajal Fri, 04/13/2012 - 15:30
User Badges:
  • Purple, 4500 points or more

Hello Power,

How to prevent a SYN attack on an ASA:

I would recommend to use the maximum amount of embryonic connections and the  Time-out for the embryonic connections, this can be configured using the MPF

I am going to use the next example provided by CISCO to show you how it is configured:

ciscoasa(config)#class-map tcp_syn

ciscoasa(config-cmap)#match port tcp eq 80


ciscoasa(config)#policy-map tcpmap

ciscoasa(config-pmap)#class tcp_syn

ciscoasa(config-pmap-c)#set connection conn-max 100

ciscoasa(config-pmap-c)#set connection embryonic-conn-max 200

ciscoasa(config-pmap-c)#set connection per-client-embryonic-max 10

ciscoasa(config-pmap-c)#set connection timeout embryonic 0:0:45



ciscoasa(config)#service-policy tcpmap global

Configured this, give it a try and see how it works.



DO rate all the helpful posts!!!

power.srvi Sat, 04/14/2012 - 03:48
User Badges:

hi jcar

i tryed this exemple and when i test the security usind this syn flood attack the cpu of the asa 5520 overload and use 100% of his capabilities!!!

the published websites becaume down and vpn unstables.


power.srvi Sun, 04/15/2012 - 10:10
User Badges:


im using a cisco 5520 running  8.4.1 firmware and asdm 6.4

i use this documents before i post a help on the cisco forum !!!


Julio Carvajal Sun, 04/15/2012 - 11:21
User Badges:
  • Purple, 4500 points or more


So next time would be good to know all the procesures you have done before posting the question, this would make us help you on a better way and so much faster!!!!

Please provide the running configuration with the MPF setup...

power.srvi Mon, 04/16/2012 - 14:46
User Badges:


this a copy paste of my asa 5520, i cut off the vpn and other unecessary informations


interface GigabitEthernet0/0

nameif outside

security-level 0

ip address xxxxxxxxxxx  


interface GigabitEthernet0/1

no nameif

no security-level

no ip address


interface GigabitEthernet0/2

no nameif

no security-level

no ip address


<--- More --->

interface GigabitEthernet0/3

no nameif

no security-level

no ip address


interface Management0/0


no nameif

security-level 0

no ip address


interface Redundant1

member-interface GigabitEthernet0/1

member-interface GigabitEthernet0/2

no nameif

security-level 50

no ip address


interface Redundant1.3

vlan 3

nameif inside

security-level 50

ip address xxxxxxxxxxxxxxxxxx


interface Redundant1.x

vlan 5

nameif DMZ

security-level 49

ip address xxxxxxxxxxxxxxxxxxxxxxxxx

boot config disk0:/run-cfg-16-03-12

ftp mode passive

clock timezone gmt+1 1

dns domain-lookup outside

dns server-group DefaultDNS

name-server xxxxxxxxxxxxx

domain-name xxxxxxx

dns server-group Gcc-DNS

name-server xxxxxxxxxxxxxxxx

domain-name xxxxxxxxxxxxxxx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface



pager lines 24

logging enable

logging list auth level emergencies class auth

logging trap warnings

logging history warnings

logging asdm debugging

logging mail auth

logging host inside xxxxxxxxxx

logging permit-hostdown

flow-export destination inside xxxxxxxxxxxx 9996

flow-export delay flow-create 10

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface DMZ

ip audit name attackdrop attack action drop

ip audit interface outside attackdrop

ip audit interface DMZ attackdrop

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

asdm history enable

arp timeout 14400

access-group OUTSIDE_IN_ACL in interface outside

access-group inside_access_in_2 in interface inside control-plane

access-group inside_access_in_1 in interface inside

<--- More --->

route outside xxxxxxxxxxxx 1

timeout xlate 3:00:00

timeout conn 4:00:00 half-closed 0:05:00 udp 0:01:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

class-map tcp_syn

match port tcp eq www

class-map inside-class

match dscp ef

class-map inside-class1

match port udp eq sip

policy-map tcpmap

class tcp_syn

  set connection conn-max 100 embryonic-conn-max 200 per-client-max 5 per-client-embryonic-max 10

  set connection timeout embryonic 0:00:05 half-closed 0:05:00 idle 2:00:00

marcelogalvan Mon, 06/18/2012 - 06:52
User Badges:

Power I have the same problem.

How do you resolve that?

Thanks in advance.


This Discussion