Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1336
Views
0
Helpful
5
Replies

ASA Policy-Map Check

jbadamantium
Level 1
Level 1

‎10-29-2013 06:14 AM - edited ‎03-11-2019 07:57 PM

Hello everyone,

I've just constructed a very small, very specific policy-map for the first time on our ASA 5510 and I wanted to run it by you all to tell me what I am doing wrong (I am sure I've messed something up) and how I can resolve it.

The use case is that I would like to limit the number of simultaneous connections from a single client to our web server at one time. Here is what I have constructed:

# I constructed this ACL to identify traffic that was directed at our web server from only the outside, not from the outside (the 192. and 10. networks being used as the inside and Google's DNS used as the web server in this example).
access-list WEB_SERVER_TRAFFIC extended deny ip 192.168.0.0 255.255.0.0 any
access-list WEB_SERVER_TRAFFIC extended deny ip 10.0.0.0 255.0.0.0 any
access-list WEB_SERVER_TRAFFIC extended permit ip any 8.8.8.8 255.255.255.255

# Create class-map and match the ACL.
class-map CONNECTIONS
match access-list WEB_SERVER_TRAFFIC

# Create policy map, set limits, and apply to the outside interface on the firewall.
policy-map CONNECTION_LIMITS
class CONNECTIONS
set connection per-client-embryonic-max 25 per-client-max 50
service-policy CONNECTION_LIMITS interface outside

Also, if anyone has any input on how to properly test and make sure this policy-map is working, that would be awesome. I appreciate any input, criticism, insults, whatever. Thanks.

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎10-29-2013 09:51 AM

Hi,

I get the rest but I am not sure why the ACL is built the way it is if your aim is to control traffic of a single host to another host? I would imagine you could just configure

access-list WEB_SERVER_TRAFFIC permit ip host host

class-map CONNECTIONS

match access-list WEB_SERVER_TRAFFIC

You could then use the above in your default global "policy-map" configuration wihtout needing to create a new one and attach that to the interface "outside".

- Jouni

0 Helpful

jbadamantium
Level 1
Level 1
In response to Jouni Forss

‎10-29-2013 09:55 AM

Thanks for the reply! The reason I built the ACL in this way is because I want the policy to apply when *anyone* accesses the web server from the outside, but not if they are accessing it from the inside. I may have been a little unclear about this by saying "from a single client"; what I meant was, for each client that connects to the web server, I want to limit the number of simultaneous connections they are able to make.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to jbadamantium

‎10-29-2013 10:08 AM

Hi,

Ok, in that case it makes sense if the IP 8.8.8.8 is an example IP address of your Web server. Though you could write it "host 8.8.8.8" without needing to mention the mask.

I think there might be a difference in the ACL Configuration depending on your software. I am not 100% sure.

I am using a newer 8.4 software which already has the new NAT configuration format. In my test configuration (same as yours above) I had to configure the destination IP address as the local IP address of the server and not use the public NAT IP address of my server.

- Jouni

0 Helpful

jbadamantium
Level 1
Level 1
In response to Jouni Forss

‎10-29-2013 10:38 AM

How did you find that you configure the destination IP address as the local IP rather than the public NAT IP? Is there some way that you are able to test it?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to jbadamantium

‎10-29-2013 10:42 AM

Hi,

In my own ASAs case I think its because of the new software level.

Since when a connections is coming to my server with public IP address through Static NAT, the UN-NAT is done first. What I mean is the public IP address is untranslated to the local IP address of the server and only then the ASA matches the configurations on the "policy-map" configurations. Or atleast that is how it seems.

I am not sure what the thing is in the older software levels.

So might depend on your software level. The bigger change regarding the NAT happened with the jump from 8.2 software to 8.3.

You can use the "packet-tracer" command to test and confirm that the policy is applied. It will show up in the output.

If you are not familiar with the "packet-tracer" you should try it. Its a great tool to simulate a packet entering the ASA and seeing which configurations are applied to it or apply to it.

For example

packet-tracer input outside tcp 1.1.1.1 12345 80

After adding the actual public IP address to the above command you could simulate a packet coming towards your Web server with the destination port TCP/80. The packet would be coming with a source address of 1.1.1.1 and source port of TCP/12345

Hope this helps

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card