Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA/PIX Dos Mitigation

Hi All,

I have the following scenario;

Hacker or virus ---> ASA/PIX MPF ---> Router or Device endpoint

I use syslog traffic in this example but I have done it with ICMP, telnet etc .... The idea is to drop the traffic based upon the class-map.

class-map hack

match port udp eq 514

policy-map inside

class hack

set connection conn-max 1

police input 8000 conform-action drop exceed drop

service-policy inside interface inside

I'm getting matches against the service-policy but the traffic doesn't drop ...

Interface inside:

Service-policy: inside

Class-map: syslog

Set connection policy: conn-max 1

current conns 1, drop 0

Input police Interface inside:

cir 8000 bps, bc 1500 bytes

conformed 3 packets, 375 bytes; actions: drop

exceeded 0 packets, 0 bytes; actions: drop

conformed 80 bps, exceed 0 bps

New Member

Re: ASA/PIX Dos Mitigation

You current connection count is only 1 so you will not see any drops.

New Member

Re: ASA/PIX Dos Mitigation


It looks like my issue, was that the CIR police mechanisim is there for rate limiting as opposed to dropping the connection.

I misunderstood the functionality of this feature.

Many thanks for your input.

Jon Humphries