Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Custom rule on ASA/IPS

Hello,

Is it possible to limit number of connections per second on ASA 5520 8.2(5) (with IPS module) in a way where it will not drop the connection beyond a certain threshold, but instead redirects rate limited connections to an Apache virtual host that returns HTTP 503 and a diagnostic message? (With a DNAT rule for the redirection for example).

I know this is achiveble with iptables, but we don't want to implement any extra Linux firewalls.

On Linux this would be somethink like:

iptables -A INPUT   -p tcp --dport 443 -m state --state NEW -m hashlimit --hashlimit-name HTTPS \

                --hashlimit 600/minute --hashlimit-htable-expire 300000  --hashlimit-burst 600  --hashlimit-mode srcip -j ACCEPT

Kind regards

Mariusz

3 REPLIES
Cisco Employee

Custom rule on ASA/IPS

Unfortunately no.

The firewall can perform but not complying with all the Requirements. The IPS can do most of the stuff, but it would need to log to a switch or a router to do the rate limiting. The HTTP503, I dont know any way to do this.

The IPS can log into the following devices to apply Rate limiting:

Cisco series routers using Cisco IOS 12.3 or later:

Cisco 1700 series router

Cisco 2500 series router

Cisco 2600 series router

Cisco 2800 series router

Cisco 3600 series router

Cisco 3800 series router

Cisco 7200 series router

Cisco 7500 series router

Check the following doc:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_blocking.html#wp1063666

Mike

Mike
New Member

Custom rule on ASA/IPS

Hi Mike,

Many thanks for replying.

Based on the doc, this will work with ASA, but with the shun command only, which will block the host completly.

I though this is not going to be possible, but is good to double-check here.

Regards

Mariusz


Cisco Employee

Custom rule on ASA/IPS

Forgot to add that on my reply. Yes the ASA only supports blocking. It is not able to perform rate limiting. Just the routers above.

Mike

Mike
258
Views
5
Helpful
3
Replies
CreatePlease login to create content