Custom rule on ASA/IPS

Mariusz Bochen · ‎12-27-2013

Hello,

Is it possible to limit number of connections per second on ASA 5520 8.2(5) (with IPS module) in a way where it will not drop the connection beyond a certain threshold, but instead redirects rate limited connections to an Apache virtual host that returns HTTP 503 and a diagnostic message? (With a DNAT rule for the redirection for example).

I know this is achiveble with iptables, but we don't want to implement any extra Linux firewalls.

On Linux this would be somethink like:

iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m hashlimit --hashlimit-name HTTPS \

--hashlimit 600/minute --hashlimit-htable-expire 300000 --hashlimit-burst 600 --hashlimit-mode srcip -j ACCEPT

Kind regards

Mariusz

Maykol Rojas · ‎12-29-2013

Unfortunately no.

The firewall can perform but not complying with all the Requirements. The IPS can do most of the stuff, but it would need to log to a switch or a router to do the rate limiting. The HTTP503, I dont know any way to do this.

The IPS can log into the following devices to apply Rate limiting:

Cisco series routers using Cisco IOS 12.3 or later:

–Cisco 1700 series router

–Cisco 2500 series router

–Cisco 2600 series router

–Cisco 2800 series router

–Cisco 3600 series router

–Cisco 3800 series router

–Cisco 7200 series router

–Cisco 7500 series router

Check the following doc:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_blocking.html#wp1063666

Mike

Mariusz Bochen · ‎12-30-2013

Hi Mike,

Many thanks for replying.

Based on the doc, this will work with ASA, but with the shun command only, which will block the host completly.

I though this is not going to be possible, but is good to double-check here.

Regards

Mariusz

Maykol Rojas · ‎12-30-2013

Forgot to add that on my reply. Yes the ASA only supports blocking. It is not able to perform rate limiting. Just the routers above.

Mike